> Dunno. If your ISP was running on OpenBSD it would be pretty damn > annoying. Sure it would be. Luckily the kernel debugger tells you which user did it. Now, shall I list 50 ways to crash a NetBSD box from the shell? > Personally, I find the constant claims that OpenBSD is more secure > than FreeBSD and NetBSD annoying. That's fine Perry.. many of us find you annoying too. I have seen public claims by Warner Losh (a FreeBSD auditor) that OpenBSD is more secure. Alan Cox has made similar statements. So has Chris Evans (Linux security audit project). The L0pht folk have been impressed with our efforts. Apparently even some AT&T security people like what they see. I could probably grab more names out of the hat. But who knows, they may be wrong. Our team will keep auditing. Our work is not done. We are trying to do something. > We all do extensive security work. Well, I am unaware of any _new_ security problem reports coming out of the NetBSD community in the last while. ie. the recent at(1) problem which your team's "security work" brought to light appears to have affected noone else. It looks like everyone else already had that fixed ages and ages ago). I'd provide more examples of NetBSD security work, but I think I've just exhausted the list. I'm sure you've got a more substantial list of new bugs discovered by the NetBSD team. If people want to have fun with NetBSD systems, look at some of the problems described at www.openbsd.org/security.html. Many of those bugs (and patches) have been posted there for months, yet the NetBSD group is apparently too busy with extensive security work to look into fixing those problems. There might even be a crashing bug there. You're taking a little localhost "any user can crash the machine" bug and trying to extrapolate that into a failure of our auditing process. Are you trying to goad me into stooping to your level the next time I see a "any user can crash the machine" fix applied to NetBSD? > This is just another example of a fairly common situation -- in > which OpenBSD has a bug that other BSDs don't. Sometimes it is the > other way around, too, but you'd think from the propaganda that it was > always, or even usually, OpenBSD that was the most secure system. Well, over the last two years it does look like we found and fixed most of the holes first. I think so. Everyone, have we been doing a good job or not? But you are disputing that, right? Perry -- I see your NetBSD commits! You don't even do security commits! You don't even try to fix security problems (but you lambaste people who do try). I think you do not know what you are talking about. You mostly fix man pages and change the spelling of NORVEGIAN to NORWEGIAN! (I should compile a list of perry commits so that people can see how weak Perry's credentials look).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:09:16 PDT