If my opinions were missunderstod, I'll apologize for that. I am currently a 'eager and happy user' of OpenBSD. Used it for a couple of years, and I must say that it has been among the better operatingsystems. At the side I use FreeBSD, for servers aswell as desktops. The reason that I reacted was that normally, fixes for 'more trivial' errors are corrected -by day-. The coders of OpenBSD are among the better, and up to now have delivered patches/fixes -fast-, aswell as informing users (see you/me) about it. (If you in any sence of way feel that this discussion is taking a 'useless turn', just say so. In the deep end, we're both users and enjoying every minute of it. :) ) Now, going back to your answer here. The reason I reacted the way I did was not because I think "microsoft is better". I have a very neutral opinion for OS', and some users may prefer the ones easier to use. The only reason is that a fix wasn't posted on errata. No information reguarding such a -important- event. How about all the users that use OpenBSD on important servers? No information on the subject was posted before the exploit, and that's what scares me. > Do you do this every time an exploit comes out for any Linux vendor, or > Microsoft? You must have a sweaty forehead. > <ironi quotation mark, end> And I have -never- claimed that this is bad contra other systems. But this is not a "match OS issue", please stick to the real issue. > I'd like to know what method of notification Georgi used. Did he file a > confidential bug report, or did he just send an email to Theo? He could > have also sent an email to one of the mail lists, stating that he had > discovered a problem and could someone "in the know" contact him. > Ofcourse, this could be the situation. If it's "that explainable", I recall all my remarks. > What's up with people acting like the sky is falling when any type of > exploit is released for OpenBSD? I'd be interested to see a graph of > released exploits for Operating Systems. Where do you think OpenBSD > would be on that chart in relation to others? > The difference between "gettings bugs" and "telling people about it". It's -not- good policy to let the public know about the bugs / exploits before it has been posted / fixed by the vendor. > The reality is that the OpenBSD development team is small, and busy. And > yes this is a problem, and yes they were notified, and yes no officially > responded to this BUGTRAQ post and they did not have a patch ready to > go. Most of these developers are people just like you and me who have > jobs and work on OpenBSD because they enjoy it, and like the ideals > behind OpenBSD. No one is getting rich on doing this, believe me. > I don't doubt that in a second, -but-. This is a -critical- bug. It gives -root comprimise-. Think of the damage it causes if no one gets to know about the fixes in time? We're talking -heavy- financial losses. > If what you desire is someone to be there for you night and day, to > have patch right away, you should probably be running another OS. I'm > not just saying that to be rude or refute the problem with a "go away" > attitude. I'm serious. > Night/day, no. But what I expect, aswell as in any other -good coding environment-, is information about -critical- issues as this. If no one gives the information in time, what's the point of even reading the news/maillist/webpages? > In conclusion, OpenBSD never claimed that they were never going to be > vulnerable to security issues, and they promised that they would be able > to fix everything in a timely manner. But when I look at the > alternatives, for some reason I still prefer it. Go figure... > Partially agree, but also a "big issue here", if no one is there to "complain" or "say that things weren't handled good", then who will take their time to fix it ? "Why fix something that isn't broke". People -need- to get things like this pointed out, people NEED to see that security is a growing issue, and at the least, people NEED to: INFORM THE USERS. (excuse the caps.) > btw.. if you made it through my rant here is your reward: > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_exec.c > Revision 1.49 / (download) - annotate - [select for diffs] , Fri Jun 15 11:10:18 2001 UTC (6 hours, 38 minutes ago) by art Yes, and do you it's coincidence that it's only 6 hours old? No, here proving my point earlier mentioned. Now that the people have been informed (not in the best way, but still), a fix has been made. But. 6 days has passed, and no one exterior from the OpenBSD team has been informed. That's -not good-. (Which is the -only- point i'm trying to make here. :-) ) In the end, I would like to thank the developers of OpenBSD. The operatingsystem is really good, and I hope to see more of it. Just to point out that I still prefer OpenBSD as a "more secure alternative". Your annoyance, Andreas Haugsnes
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 20:36:41 PDT