Date: Mon, 24 Jun 2002 21:32:26 -0600 From: Theo de Raadt <deraadt@cvs.openbsd.org> To: Sean Kelly <smkelly@zombie.org> Cc: Ted Cabeen <secabeen@pobox.com>, "Jacques A. Vidrine" <nectar@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <200206250332.g5P3WQLJ024062@cvs.openbsd.org> In-Reply-To: Your message of "Mon, 24 Jun 2002 22:29:27 CDT." <20020625032927.GA6579@edgemaster.zombie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This one is clearly different. We have a tool which can avoid people being holed, without having to publish a patch. If you don't understand that, please go back and study the situation more. By holding this information back for a few more days, we are permitting a very important protocol to be upgraded in an immune way, OR YOU CAN TURN IT OFF NOW. > On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote: > > I'm not giving away any hints. Assume the worst and do the upgrade, > > and if you dislike the way I handled this, don't buy me that beer > > later. > > I'm just curious when this OpenBSD policy change took effect. According to > http://www.openbsd.org/security.html#disclosure: > > Full Disclosure > Like many readers of the BUGTRAQ mailing list, we believe in > full disclosure of security problems. In the operating system > arena, we were probably the first to embrace the concept. Many > vendors, even of free software, still try to hide issues from > their users. > > Security information moves very fast in cracker circles. On the > other hand, our experience is that coding and releasing of > proper security fixes typically requires about an hour of work > -- very fast fix turnaround is possible. Thus we think that > full disclosure helps the people who really care about > security. > > Not all of us are in the position to use cutting edge OpenSSH-portable > versions. By you holding back this information, you are only hurting those > who *CAN'T* upgrade to your latest and greatest. Has there actually been > enough testing of privsep to say that it contains no bugs? It seems to me > that we'd all be better off if you just released a diff and let us all fix > our own wounds. > > -- > Sean Kelly | PGP KeyID: 77042C7B > smkelly@zombie.org | http://www.zombie.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250332.g5P3WQLJ024062>