Theo de Raadt writes: > > > did it. Now, shall I list 50 ways to crash a NetBSD box from the shell? > > > > I would highly appreciate it if you would. The NetBSD project believes > > in the same philosophy of open disclosure that the BUGTRAQ mailing > > list runs on. What you know about you can fix, what you don't know > > about *can* hurt you. By all means, please make your list public. If > > you tell us about these 50 ways to crash a NetBSD box from the shell, > > we can fix them. If you don't tell us about them, we cannot fix them. > > Our source tree is available for anonymous cvs. You can look at it. > Detailed commit messages are available. Most of your security CVS messages, Theo, say things like "pretty" or "oops" or "fixed problem". This doesn't help people who are watching your CVS commits list much -- it is hard to read every line you add to your source tree. It would be much easier if you simply sent out security information in a reasonably detailed way. If you actually have 50 ways to crash a NetBSD box from the shell, please, by all means tell us what they are. BUGTRAQ is primarily for full disclosure, not for telling us that you know something we don't know. > How about the various problems at http://www.openbsd.org/security.html > which have been sitting there for months? I believe we've fixed those, except for the ones that do not apply to us and a few on which there are honest disagreements. > I'm sorry, Perry. I am not being paid to audit your insecure little > operating system managed by nasty argumentative people. Sigh. I was under the impression that most people around here are believers in the Open Source philosophy and would rather share information than hoard it. In any case, I hope that most people around here are more generous about trying to help each other out in improving system security. That's what BUGTRAQ is for, after all. Perry
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:09:21 PDT