On Fri, Jun 15, 2001 at 09:18:15AM +0200, Andreas Haugsnes said: First off, I am in no way an official representative of OpenBSD, but I feel that there is an unfair stigma against OpenBSD, and I want to dispel that. I don't know if this will get through seeing as how it is lacking "technical content" relevant to BUGTRAQ, but I think that if people can post their *opinions* on OpenBSD and security issues, I should be able to post my reply. > I must say that I gasped and had to wipe sweat from my > forehead when I read, tested and could confirm this > exploit. Do you do this every time an exploit comes out for any Linux vendor, or Microsoft? You must have a sweaty forehead. > > The OpenBSD-team has known about this for -6- days (15th of June), > and they haven't been able to come up with at least a temporary fix? I'd like to know what method of notification Georgi used. Did he file a confidential bug report, or did he just send an email to Theo? He could have also sent an email to one of the mail lists, stating that he had discovered a problem and could someone "in the know" contact him. > I can't find anything on errdata / security warnings, > what's up with that? What's up with people acting like the sky is falling when any type of exploit is released for OpenBSD? I'd be interested to see a graph of released exploits for Operating Systems. Where do you think OpenBSD would be on that chart in relation to others? The reality is that the OpenBSD development team is small, and busy. And yes this is a problem, and yes they were notified, and yes no officially responded to this BUGTRAQ post and they did not have a patch ready to go. Most of these developers are people just like you and me who have jobs and work on OpenBSD because they enjoy it, and like the ideals behind OpenBSD. No one is getting rich on doing this, believe me. If what you desire is someone to be there for you night and day, to have patch right away, you should probably be running another OS. I'm not just saying that to be rude or refute the problem with a "go away" attitude. I'm serious. In conclusion, OpenBSD never claimed that they were never going to be vulnerable to security issues, and they promised that they would be able to fix everything in a timely manner. But when I look at the alternatives, for some reason I still prefer it. Go figure... btw.. if you made it through my rant here is your reward: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_exec.c -- dmuz <dmuz.angrypacket.com> <sec.angrypacket.com>
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 19:53:03 PDT