All the security in the world does me no good Yes. If I wasn't then there wouldn't be I track -STABLE, because I want relyability. I won't get the next unsung fix until an errata is announced that might affect me. I've better things to do No, but if security errata announcements arn't delivered in a fashion that delivers them to a human then they do no good. I should not be expected to peruse the misc@openbsd.org list to find errata announcements. OpenBSD says announcements will be made on security-announce when patches become available. This did not happen. Ergo, something is broken. I can't fix it. It may not be fixable, but if it is fixable then it should be fixed. We should not all just pretend it didn't happen. If there is something that can be fixed I'd like to hear about it when it gets fixed. Hence my post. Further, it's important to let the OpenBSD project know how important the brokenness is. (Recall, I'm not talking about the security vulnerability, I'm talking about the communication breakdown.) If my clients hear about a OpenBSD vulnerability from the media, before I hear about it from OpenBSD, that's bad. I want them to hear about problems with their systems, however slight, from me (or directly from OpenBSD of course). I don't want clients to hear about problems on their systems from some media panic attack article. OpenBSD has always solicited feedback regards how important particular bugs are. Now you've the relevant information you can decide how high to jump. Regards, Karl <kop@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
What about Charlie Root testing something remotely through cron and then send a reminder: "A hole was found in OpenBSD, please follow instructions at http://www.openbsd.org/blahblah.html to fix it." That could be easy to implement, could use authentization to prevent spoof panic attacks, and would make sure even people who don't read mailing lists plug their holes in a timely fashion. CL<
Ok, I'll bite. This is not hard. Here's something I did real quick. Use at your own risk. Replace XXX with your closest ftp mirror from http://www.openbsd.org/ftp.html. Read the comments. As root: patch -p0 < [extract patch from below my sig] mkdir -m 755 /var/errata chown root:wheel /etc/errata chmod 644 /etc/errata sh /etc/errata to test as non-root. You can forego the patch to /etc/daily and run as needed standalone, otherwise root will get daily errata output emails. -- Kyle George --- /usr/src/etc/daily Tue Dec 6 15:18:56 2005 +++ /etc/daily Sun Mar 18 00:52:35 2007 @@ -20,8 +20,13 @@ rm -f ${TMP} exit 1 } +OUT2=`mktemp /tmp/_errata.XXXXXXXXXX` || { + rm -f ${TMP} + rm -f ${OUT} + exit 1 +} -trap 'rm -f $TMP $OUT' 0 1 15 +trap 'rm -f $TMP $OUT $OUT2' 0 1 15 echo "" echo "Removing scratch and junk files:" @@ -174,3 +179,9 @@ if [ -s $OUT ]; then mail -s "`hostname` daily insecurity output" root < $OUT fi + +sh /etc/errata 2>&1 > $OUT2 +if [ -s $OUT2 ]; then + mail -s "`hostname` daily errata output" root < $OUT2 +fi + --- /usr/src/etc/changelist Tue Dec 27 23:57:28 2005 +++ /etc/changelist Mon Mar 19 13:58:18 2007 @@ -27,6 +27,7 @@ /etc/dhcpd.interfaces /etc/disktab /etc/distfile +/etc/errata /etc/ethers /etc/exports /etc/fbtab --- /dev/null Mon Mar 19 15:33:55 2007 +++ /etc/errata Mon Mar 19 15:20:10 2007 @@ -0,0 +1,146 @@ +#!/bin/sh - +# +# Check for available/changed OpenBSD errata. +# +# Description and Usage: +# +# Replace ftp.openbsd.org/pub/OpenBSD with your favorite mirror from +# the list: http://www.openbsd.org/ftp.html. +# +# Check for available errata by looking at the errata X.Y.tar.gz from +# the OpenBSD ftp site (or preferrably, a mirror). Also check for +# errata that may have been revised since first issued or applied. +# This works by comparing the listing of /var/errata and the contents +# of non-empty patch files in /var/...
Now, I've harrassed this forum with my obsessive-compulsive rants before, so I can guarantee you you're going to get nothing. OpenBSD actually does not owe you anything. If you really want to stay ontop of OpenBSD going-ons, I suggest you subscribe to source-changes@. Public things hit that first. Yes, it does seem a bit silly that security-announce@ is a bit flakey sometimes and this has been ranted about before. Nothing has changed it's usage. But this problem showed up on errata.html, misc@, undeadly.org, osnews.com, some other blogs, news sites, and finally slashdot. You're bound to read one of those (however I wouldn't count on slashdot since it's just inflamatory bullshit read by a bunch of microsofters who wish they could even install linucks; whether this is due to their stupidity or the poor quality of linux is anyone's guess). I digress. If you _really_ want to stay ontop of things, you have to take action yourself beyond the cron job that gets your mail. Sorry, that's just the way it is, so I suggest you adapt to it. -- Travers Buda
I was trying to decide if I should reply, and if so, how. I looked for your name on the donations list. I don't see it. But your quote makes it clear. I don't know what to say. I am trying to get past the first impression of you being a whining liar who quotes some fiction author. Give it up. He uses our software, and he's not worth the discussion.
Out of curiosity, when I bought several t-shirts at the kd85 shop in Belgium, does actually a part of it go to the donations list and do I pop there up with few dollars? I also suggest that the list include the cumulative amount for each donor, sorted so that the biggest donors are at the top. Personally, it would motivate me more. I would have a feeling of control what's actually done with my money. If Theo somehow published some breakdown of the spending, even better. If he actually assigned my donation to a concrete thing (i. e. Packet filter development,...), that would be even better. I would also have a motivation to compete for the topmost positions, with sending money as my weapon :) I could boast to my friends look I paid xxx of OpenBSD and I am the xth biggest donor and the packet filter you are using is actually paid from that. People are not computers, they decide based on emotions, and if you tune the psychological aspect of the thing you can induce better emotions without actually compromising your ideology. If other people think the same way like me, then Theo would start getting more donations if he changed to that system. Sometimes I wonder how much money goes to paying Theo's time, how much into paying other people like artists, how much into buying hardware, and if something of that isn't actually financed in an inefficient way. If I saw the real numbers, these concerns would probably vanish.
To me, this makes about as much sense as publishing a similar list for penis size (and whatever its female equivalent would be). Money is not the only way to contribute to a project. -- Shawn K. Quinn <skquinn@speakeasy.net>
I agree. The value of a dollar differs a great deal between different people. Shane J Pearson shanejp netspace net au
No. You make it on the donations list when you make a donation. As to your suggestions: don't expect them to become a reality anytime soon. However, I'd *love* to see you top the GoDaddy and Mozilla Foundation donations, as I am pretty sure would Theo, whom I hope will then make a public announcement right here. Go for it, Karel! :-) Be well... Nico
A few of us could get started with maintaining such data, but we'd get less othe done. Besides all the development discussions and such I am still falling behind by about 800-1000 emails a month because of I don't have a breakdown. Some simply pays the bills. Most pays the hackathons. Some pays for flights. Some stuff buys small bits of hardware. The sales money ensures that I don't have to go get another job, which would leave me with way less time to deal with an increasing The donation money does not pay for code that gets written. That code gets written because passionate people put their spare time into it. The best money can do is help get them to conferences or hackathons, or keep the electricity running so that there is a machine for them to Doing things takes time. I choose not to do what you suggest, so that I have I don't even have any numbers. I could do 3 days of accounting per month to create some numbers, but that would be 3 days wasted.
Theo, is flaming all you have to say in this thread? Seriously: Do you think this bug was handled in the right way? Best Martin
I only buy CDs and stuff occasionally, and generally
invest time in what I hope are productive ways.
How much do I need to donate to keep from having to
waste my time in unproductive threads like this?
Seriously.
Karl <kop@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinleinlike bitching about stuff that you, as a "security professional", should already know? how notably productive! if you can't look smart because you weren't looking the right spot for this information, then perhaps your customers really should reconsider how smart they thought you were. offhand i remember having had a favorable impression of your skills from your previous posts and this hissy fit doesn't make you look any smarter. if i hired you as a consultant, looked you up on google and saw this little thread, i'd really think twice about listening to you next time. unless you're posting under a pseudonym you may have turned "stubbing your toe" into a how much do i need to donate to stop other whiners from starting threads like this? if you're a security consultant in a 1st world country whose job depends on openbsd and you haven't donated any significant amount,
It would be better if OpenBSD could be maintained secure even without a skilled security professional. Today's trend is that things are accomodated to ordinary people. You don't need a driver anymore to professionally drive your car. You don't need to understand how the engine works anymore to operate the car properly. You don't need to understand megahertz anymore to tune your TV set. This trend is because we are having more and more technology in our life and learning about internal structure of all the appliances is not possible anymore. This trend can be implemented in free design products too. Let me use my Ronja project as an example once more. It contains sensitive low-noise broadband amplifiers and an fiber optic transceiver implemented as many chips scattered around the board. It's supposed to be built in a garage. Hundreds of points asking for a failure. But it was possible to remove the necessity to need a professional equipment and training. Strict quality control procedures done by the users using visual inspection, increase in ergonomy of the assembly procedures and preventive electrical measurements eliminate these failures which can be found only using an expensive oscilloscope. So with extra effort put into the instruction manuals, it's now possible that an unskilled person builds it using only a cheap multimeter. Similarly, by putting extra effort into the OpenBSD operating instructions and notification mechanisms, it should be possible to enable even an inexperienced user to properly recognize a security problem and respond to it in a correct and timely manner.
Are you kidding me? OpenBSD does everything for you! Hardware and software shipped with the system works right out of the box. The documentation is complete, so you don't need to google for basic man pages. And don't even get me started on the 2.4 radio support. Kismet just works. You don't have to track down some crazy linux kernel patch, make sure you have all the right modules loaded, etc. The installer is sparse, and it's a good thing. You partition the disks, extract the OS and set your root password. It's all very simple. You've probably noticed this stuff, well, the security works just the same. You don't have to do anything to make the system more secure. You can only reverse that. OpenBSD is the easiest operating system I have ever worked with. -- Travers Buda
You're both right! The security Karel describes, in the most ideal of plausible scenarios, would be the security of the automobile: it's pretty secure against dolts, but experts can still steal it. And Travers is right that it's the easiest. Because it's the simplest and most thematically coherent. Which is the best hope for the amateur secure systems buff. -- Jack J. Woehr Director of Development Absolute Performance, Inc. jwoehr@absolute-performance.com 303-443-7000 ext. 527
http://www.openbsd.org/mail.html --- *security-announce* Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.---Martin and Karl have valid points in their initial emails. /Tony S -- Tony Sarendal - dualcyclone@gmail.com IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
It's important to put yourself in Theo et al.'s shoes. Here's a group of people who write code for free, and then give it away for free. There's no serious cash inflow to enable them to do everything they want. The code can be used by anybody for whatever purpose, like: making money! And does that money ever find it's way back to OpenBSD? I'm talking about big corporations here. OpenSSH is in _everything_. It's only natural that OpenBSD should feel a sense of ingratitude... because there is ingratitude. To add insult to injury, people ask for more than what is freely offered. Example: this thread. If you want to see X feature, hire one of the developers. If you want to keep getting releases, pay Theo's hydroponics.. err electric bill. etc etc -- Travers Buda
That's a valid point if Theo took a joint, the negative emotions from his reactions might disapper. Holds not only for Theo. I am having a feeling that Theo is like a panhandler that plays a good music in a subway and when you throw him 1$ and notice his fly is down. He snaps and starts yelling at you that you should pay at least 10$ because his music is really good (which it actually is) and that his zipper is down because he's overworked. Instead of putting his zipper up. Jeez, Theo is a world OS programmer, I am sure his OS design skills are unequalled by most others, judging by the quality of the result. Why should he degrade himself into a role of a hysteric panhandler? I would suggest to implement some strategy to increase the cash flow. If it doesn't help, then going into the strict mode. Develop something, collect the donations and release only after you get covered. I think people will quickly get used to the fact that it's easier to pay a laughably small donation and then get a quality intellectual property into your ownership than pay a ridiculously high rent to a proprietary company and get a dubious quality product for it.
christ. buddha. the thread that would not die. i invoke godwins law in a (probably ) unsuccessful attempt to end the insanity: nazi nazi holocaust, nazi. On Mar 17, 2007, at 12:09 PM, Karel Kulhavy wrote: <something useless and inflammatory> [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
I don't see how your excuses apply here. If Theo made a mistake by not sending Cc'ing security-announce that is ok, he is only human. This can be corrected in the future by either sending it to that list or changing the website. /Tony S -- Tony Sarendal - dualcyclone@gmail.com IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
I can't help this =) : I noticed your quote about metaphysics. Well it's metaphysically ridiculous to even expect excuses from people If you look at security-announce@, it follows a special format. Theo is busy. There's the 4.1 release. And I'm sure Theo does other things besides OpenBSD. -- Travers Buda
And to all those bitchers and whiners, does it make you feel important to state the fucking obvious? I hope not, generally I feel important when I come up with a suggestion no one else has thought of (which isn't often). Greg
Are people really asking for more than what is freely offered? The web page says security advisories and pointers are posted on the security-announce list as they become available. The web site is part of the project, which offers an OS and mailing lists. If the OS is not there you would expect people ask about it, But this is NOT a missing feature, the feature is there, but it is not working as what the doc say it should be. -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
On Fri, 16 Mar 2007 06:03:49 +0000 Only it doesn't actually say how timely it is supposed to be or even that all advisories and patches will have a corresponding email. Sure, you could say it's implied but it's sure not spelled out and the OpenBSD project isn't exactly overflowing with personell. But maybe Karl and Martin are volunteering to maintain security-announce. -- Lars Hansson <lars@unet.net.ph>
I'd be willing to do that (forward erratas to security-announce), but let's not forget that OpenBSD is a dictatorship, i.e. it's for Theo to decide. Best Martin
On 3/16/07, Martin Schrvder <martin@oneiros.de> wrote: [snip blah blah blah...] After all the kvetching and sensationalism that's characterized both this thread and the release of this errata, there's a few things I wanted to point out. Theo's already put out the timeline and circumstances around classification of reliability and later security fix. Core Security also included the timeline in their advisory. The first point to make is this: the fix was applied in a more-than-timely manner. The errata was merged into -stable and made available March 7. Core Security released their advisory March 13. That's very good lead time, and that means the patch was available darn near a week before the advisory came out. If people aren't checking the errata pages for a week at a time, there's a larger issue than a lack of email notification. The second point relates to the natural dissent that the first point invites; if the announcement doesn't go to the security announce list, how are people supposed to know that the errata is available? I want everyone trying to make that point to think of all the software vendors they deal with, including the commercial software vendors to whom you pay thousands (and depending on the size of your organization, millions) of dollars to per year. Can you say that you get SMTP notifications from all of them? The answer, if you're in any situation resembling what I've been in for the last decade, is no. The reality is, it's *not* an assumption that you'll get notifications from anyone in your happy little inbox. Most of my current vendors (lots of them, too) don't have any official vulnerability notification channel in place, and when we approach them about it, they point us to their web site support page where we can find updates as they are released. The landscape for this kind of thing is awful, and in fact OpenBSD is ahead of the curve here because they actually do admit and respond to vulnerabilities in an open manner. Closed source, commercial v...
To focus this even more, I managed some VAX/VMS machines in the 1980's, supporting about a half dozen aero engineers and programmers. The software support contract for VMS ran me around 5-7 thousand USD a year, in the dollars of the day, say $15K/yr in current money, which got us mailed magtapes when there were bug fixes or new versions, and great boxes of paper when the documentation changed. This was not the most extreme level of support available, which would have included a field engineer to come around and patch the systems within 24 hrs or such. This did not include support for such extras as the Fortran, C or Pascal compilers or other "fluff". This did not include the VMS license itself, just the support on it. And, at that time, Digital was considered a responsive, cost-effective solution, and it was. With OpenBSD, I get a system that is at least as robust, much more capable, but with support that fixes bugs before I hear of them. (And I listen.) I get this for almost nothing. Digital actually warranteed their software (unheard of these days, at least in the PeeCee world), i.e. if it didn't work, you'd get it fixed, and quickly. OpenBSD doesn't warrantee anything, but they fix things as fast as Digital used to (24-48 hrs). Did I mention what a VAX/VMS source code license cost? I seem to recall 100K$ being mentioned. I get a kick out of people who are too slack to spend the two hours of reading and twenty minutes of unattended execution time it takes to CVS or patch a kernel and compile it. I would have killed to have the VMS kernel sources. Dave
Some of these people clearly think they are entitled. But they are not entitled. Nothing entitles them to anything. There is no contract, there is no promise, there is nothing, nothing, nothing, and nothing. They should just be thankful. If they continue to be so rude, they'll get less. They won't get more -- they'll get less. It's not human nature to give more to jerks.
Hi I have donated, my hard earned. I don't involve myself commercially in OBSD but I listen. This is idiotic, a big hole was found and the devs pissed about because they didn't want to admit it. OBSD's strength is in being open, be open. Move on and end this. Theo, chill out. Cheers Rich
Noone in OpenBSD is pissed off about this. We posted the bug fix as soon as we became aware of the problem. The timeline goes like this: 1) We were told there was a mbuf crash, which could remotely CRASH the machine. There was no proof that more could be done, not even a whiff. 2) We commited the fix, about 24 hours later. It took a few days to get the errata up because the people who do that were at a conference. It was labelled as a RELIABILITY FIX because everyone felt it was just a CRASH. I then entered into a long conversation with Core explaining why we label crash fixes (even remote) as RELIABILITY FIXES. 3) Core felt maybe something more could be done and continued working, and ONE WEEK LATER later, finally managed to show us brand new code which showed that intrusion was possible. Before that moment, it was still just confirmed to be a CRASH. 4) A few hours after we become aware that it was more than a CRASH, we changed the advisory to say it was a real security risk. We first had to get the patch into -stable, I changed index.html to talk about there being TWO remote holes in more than 10 years, without even discussing this with any other developer, because I knew it was true. Other developers in the group were stunned to see me change it. 5) Core decided that their advisory should include their interpretation of our discussion as to why OpenBSD labels crash fixes as RELIABILITY FIXES. Three times I told them that I thought that was a mistake, and that the public would not understand the reasoning as they wrote it. That is what happened. If you don't believe me, mail Ivan Arce at Core and ask him if any of the 5 points above are wrong. Come on, go ask him if I am a liar... go ahead. Yes, some of the press got it wrong too, and part of that I feel is Ivan Arce's fault. He should have been more cautious at explaining the complex discussion OpenBSD had with Core, where we explained why we...
Yet again, we see that although Theo is willing to beg, wheedle and threaten his user community into sending him money when he needs it, he holds them in too much contempt to respond to simple, uncontroversial and valid criticism. What a bullshit argument. When you realised the problem was serious enough to update the homepage to say "only two remote holes..." you should also have sent out an email to security-announce. You had time to send an announcement to misc - not sending one to the list your project specifically created for just this type of situation means, quite simply, that you fucked up. You fucked up, Theo. Do it right next time, or de-commission the security-announce mailing list for once and for all. The fact that you can't get a simple thing like this right really makes me wonder about the wisdom of relying on OpenBSD for real-world use... What a completely fucking stupid, border-line insane thing to say. Let's get this straight - your project sets up a security announcement list specifically for announcements on vulnerabilities and patches. You then proceed to ignore it completely for one of the most serious OpenBSD security problems in the last decade. But no-one is allowed to actually say anything about this because if they do you'll not use it JUST TO SPITE US. You, sir, You know, Theo, it makes me fucking sick to see you treat the community of people who support your project and pay your wage like this. It makes me even sicker to see the crowds of shrill, stupid fanboys on this list who are so pathetically eager to agree with you that that they support even your most unreasonable, childish and frankly stupid statements. You are a goddam hypocrite - either you do OpenBSD purely for yourself and the other developers (in which case I will stop financially supporting the project, and everyone else should too) or you recognise that what really keeps OpenBSD going is the group of people that advocate OpenBSD, use it in the real world, and buy your goddamn...
I don't think Theo is a hypocrite he makes otherwise a highly consistent behaviour impression on me. To me it looks like a slippage caused by an external factor. There's a problem and it has to be found and fixed. Theo, how much time do you sleep in average per night? Aren't you overworked? Don't you have some kind of family problem (relationship, death, serious disease)? Don't you you get too little money in donations and feel stressed by it? Or some other kind of cockup in your life? We need to understand that OpenBSD is a unique operating system - it's free, very complicated, AND and proper care is taken in design and programming. That must be very demanding on the developers.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You need to FOAD and stop being an insulting little twat. This is nothing more and nothing less than the same frustration and rage that every working admin and coder in the world feels. It's not an accident that the BOFH is central to our culture in many ways. :) You can like it or not. We don't give a shit. Go ahead use the code that's what it's there for. But FFS stop trying to change our culture just because you don't like it. We love it and it's ours. Or if you really hate it. Go the fuck away. You will not be mourned or missed. You are a luser of the worst kind. To deny a man the right to blow off steam or to start insulting him because he does is just sick and They do not preach that their God will rouse them a little before the nuts work loose. iD8DBQFF/Fwj5B7p9jYarz8RAjjLAJ4ockK+w3JFQQtCdeaZ0XvAuawU9QCgoOPm gql5uZkp9G58bxHc8888ork= =by3C -----END PGP SIGNATURE-----
No. This is pure bullshit. There was a hole. The patch and the errata had been up for -ages-. Anybody who really cares and really pays attention had patched and been happy for nearly a week. The logic behind the misc posting is so very obvious that to bitch about it is just finding something to complain about. I, of course, don't know the exact numbers but it seems pretty clear that misc has a much larger subscriber base than security-announce. Given that it just makes sense to post this to the list where the most people are going to see it. As for the rest of your rant. It's clear you've never been a working admin or coder. Try it for a while and come back when you've seen the <snip>
"Ray Percival" misc goes into a separate folder security-announce straight to my inbox. misc I read only when I have the time to do so. what you see logical is not granted logical for others. -sm
Is it really that hard to cc to security-anoounce? Jeez... -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Actually, I think you're wrong. Majordomo at lists.openbsd.org reports 11323 subscribers to security-announce and only 3866 for misc. It really surprised me when I saw it, I thought misc would have had at least more than ~4000. Whether they're correct or not though, most people probably think security-announce is the important one to watch.
On Fri, 16 Mar 2007 21:22:58 +1100 Say what? Didn't want to admit it? In what alternative universe was That's good advice though. -- Lars Hansson <lars@unet.net.ph>
It is not just an implication, that's exactly what it said: "receives OpenBSD security advisories and pointers to security patches as they become available." If I tell you that I'll give you fries as they become available what would you think I am saying? It is really simple English and as there is a lot to read, no one is going to examine each and every single word to pull apart the semantics and implications or whatever, people are just going to read it and take what it says. -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
On Fri, 16 Mar 2007 18:03:02 +1100 Unless it's your job to give them to me now and I have paid you to do so I'd expect to get them whenever you have them and feel like giving me some. -- Lars Hansson <lars@unet.net.ph>
But if you see fries do become available wouldn't you ask me what happened? Yes I may have no obligation to give you fries, but since I said I will give you the fries when they become available, should I not expect you to ask me what's went wrong with my offering? -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Yeah. Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. They could have asked if there was a reason it wasn't sent to security-announce@ instead of misc@, rather than saying "This is terrible handling of a bug" after it was fixed almost immediately. Seems some people spend very little time thanking the developers for the immediate fix and instead go straight to suggestions on how to handle their project better. -- Kian Mohageri
On 03/16/2007 02:51:48 AM, Kian Mohageri wrote:
I did not intend to be condesending and apologise if it
was taken that way.
Karl <kop@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. HeinleinSame here. It was a statement of facts. Best Martin
It _was_ fixed quite fast; the released patch took another 10 days (granted, waiting for PoC is understandable). What was lacking is what Core critised: This was not seen as a security problem right along, instead it took a PoC _exploit_ before we all got a warning by Theo, and even that warning was _not_ on the designated channel (security-announce). I've said it before: security-announce is broken. Either fix it (shouldn't really be too hard and takes less time than reading this thread) or delete it and point to source-changes instead. I'm annoyed that the handling let to many negative press for the project. We can do better. But Theo seems to think everything is fine. Best Martin
And what are the developers doing with their time? They give it to you and you have the got to complain on top of it! So, they should waist Seriously! Daniel
--> Bram, your gtodo is mentioned. The users work as an army of testers and if something doesn't work, they report in in a form of complaint. That saves Theo the bug money needed to pay an army of beta testers like game companies do. On my Ronja project, complaints serve a good service. I get a complaint, extract useful information what needs to be fixed/improved, put it on my prioritized TODO list (http://www.stack.nl/~brama/projects/todo/) and forget about the complaint. The less experience user, the higher quality complaints he generates. More advanced users cannot spot some bugs in instruction manuals because their experienced brain automatically fills in. The least experienced generate good feedback even regarding the website structure, usability and ergonomy. The worst people are the too lazy to complain ones who manage to build a whole Ronja even while encountering 10 bugs and 20 ambiguities on the way and then they risk strange unreliabilities in their device. Sometimes bugs persist in the instruction manuals for long time because of these people. I can only recommend the mentioned gtodo program that's what makes difference for me between reacting neurotically to complaints and taking them easy. CL<
I apologise to the list for responding to
the flames. I made my point and went beyond
into unproductiveness.
I'm sorry and I'll stop now.
Karl <kop@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. HeinleinSo next time I shouldn't post when I see a problem?
That'll help, not.
Karl <kop@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
| Sitsofe Wheeler | Reading EeePC900 battery info causes stalls (was Re: How how latent should non-pre... |
| Rafael J. Wysocki | [Bug #10954] hda_intel: azx_get_response timeout, switching to polling mode: last ... |
| Artem Bityutskiy | [RFC PATCH 06/26] UBIFS: add superblock and master node |
| Alan Cox | Re: TALPA - a threat model? well sorta. |
git: | |
| Michael Hendricks | removing content from git history |
| Daniel Berlin | git annotate runs out of memory |
| Abdelrazak Younes | Git-windows and git-svn? |
| Shawn O. Pearce | Re: git-import.sh using git-fast-import |
| Darrin Chandler | Re: bcw(4) is gone |
| GVG GVG | ssh_exchange_identification: Connection closed by remote host |
| Stuart Henderson | Re: SMTP flood + spamdb |
| Theo de Raadt | Re: Richard Stallman... |
| Johannes Berg | mac80211 truesize bugs |
| Mike Galbraith | Re: [tbench regression fixes]: digging out smelly deadmen. |
| Florian Wiessner | Re: POHMELFS high performance network filesystem. Transactions, failover, performa... |
| Jussi Kivilinna | [PATCH v2 2/2] [iproute2/tc] hfsc: add link layer overhead adaption |
