Open Source Security and Vendors

From: Andreas Steinmetz (astat_private)
Date: Mon Dec 24 2001 - 15:29:22 PST

Next message: Stefan Esser: "UPDATE: IE https certificate attack"

Previous message: Daniel Swarbrick: "Possible hole in Win XP MS Client networking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe this isn't approved as my previous reply to the glibc glob problem.

Maybe this doesn't contain sufficient ASCII art.

Maybe I'm a minority BUGTRAQ doesn't care about nowadays.

Maybe the old times where aleph1 would approve points of view are gone.

Still:

I do approve problem reports. I do approve the report of security fixes. What I
don't approve is the way this is handled for open source software lately.

Think of wu-ftpd or glibc. For wu-ftpd there was a call for vendors. Though I
do approve such a call it is not a good policy to leave people compiling their
own code in the dark.

It gets even worse for the glibc glob bug. Either you do use a certain distro
(whichever) or you won't get any information at all. It _DOESN'T_ help a bit
when notifications become 'get your RPM here and there' without any pointer to
a source fix.

Vendors should keep in mind that they're dealing with open source software. I
will not stress the (L)GPL in case of the glob problem. In fact I'm not one of
those seeking some kind of religious (L)GPL belief.

On the other hand it _IS_ at least annoying that as far to my knowledge
(correct me if I'm wrong) at least one major U.S. based Linux vendor may
invalidate any basic service contract if you even try to compile a kernel
yourself and on the other hand 'generously' ships MBs of sources for a
security fix without pointing to the actual fix at all (not that this isn't
true for other vendors).

If we're down to the point where BUGTRAQ is beyond publishing the actual fix
for open source software, be it by asking/pressing vendors of open source
software to provide pointers to unified diffs or just neglecting to approve
securtiy reports not pointing to a straightforward fix it will be better for
security sensitive people to think of a new list.

It _IS_ a difference pointing to a closed source fix and to _NOT_ providing a
pointer to an open source fix.

In my point of view vendors not pointing to a 'real' fix but only to RPMs do
_NOT_ have any sensitivity in security at all. I would (provocative laughter)
ask them to join the circle of closed source companies. In this case they may
keep on to state things as they do now.

PS:
Flames will not be replied to. Reasonable discussion will.


Andreas Steinmetz
D.O.M. Datenverarbeitung GmbH

Next message: Stefan Esser: "UPDATE: IE https certificate attack"
Previous message: Daniel Swarbrick: "Possible hole in Win XP MS Client networking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 25 2001 - 09:43:50 PST