Re: Important OpenBSD errata
On Sat, 17 Mar 2007, Karel Kulhavy wrote:
What about Charlie Root testing something remotely through cron and then
Ok, I'll bite. This is not hard. Here's something I did real quick.
Use at your own risk. Replace XXX with your closest ftp mirror from
http://www.openbsd.org/ftp.html. Read the comments.
As root:
patch -p0 [extract patch from below my sig]
mkdir -m 755 /var/errata
chown root:wheel /etc/errata
chmod 644 /etc/errata
sh /etc/errata to test as non-root. You can forego the patch to
/etc/daily and run as needed standalone, otherwise root will get daily
errata output emails.
--
Kyle George
--- /usr/src/etc/daily Tue Dec 6 15:18:56 2005
+++ /etc/daily Sun Mar 18 00:52:35 2007
@@ -20,8 +20,13 @@
rm -f ${TMP}
exit 1
}
+OUT2=`mktemp /tmp/_errata.XX` || {
+rm -f ${TMP}
+rm -f ${OUT}
+exit 1
+}
-trap 'rm -f $TMP $OUT' 0 1 15
+trap 'rm -f $TMP $OUT $OUT2' 0 1 15
echo
echo Removing scratch and junk files:
@@ -174,3 +179,9 @@
if [ -s $OUT ]; then
mail -s `hostname` daily insecurity output root $OUT
fi
+
+sh /etc/errata 21 $OUT2
+if [ -s $OUT2 ]; then
+mail -s `hostname` daily errata output root $OUT2
+fi
+
--- /usr/src/etc/changelist Tue Dec 27 23:57:28 2005
+++ /etc/changelist Mon Mar 19 13:58:18 2007
@@ -27,6 +27,7 @@
/etc/dhcpd.interfaces
/etc/disktab
/etc/distfile
+/etc/errata
/etc/ethers
/etc/exports
/etc/fbtab
--- /dev/null Mon Mar 19 15:33:55 2007
+++ /etc/errata Mon Mar 19 15:20:10 2007
@@ -0,0 +1,146 @@
+#!/bin/sh -
+#
+# Check for available/changed OpenBSD errata.
+#
+# Description and Usage:
+#
+# Replace ftp.openbsd.org/pub/OpenBSD with your favorite mirror from
+# the list: http://www.openbsd.org/ftp.html.
+#
+# Check for available errata by looking at the errata X.Y.tar.gz from
+# the OpenBSD ftp site (or preferrably, a mirror). Also check for
+# errata that may have been revised since first issued or applied.
+# This works by comparing the listing of /var/errata and the contents
+# of non-empty patch files in /var/errata to the available errata in
+# the errata archive.
+#
+# Let ${PNNN} be the three digit patch number and ${PNAME} be the
+# patch filename: After applying a patch or to ignore a particular
+# erratum, cp the patch to /var/errata, cp the patch to
+# /var/errata/${PNNN}, touch /var/errata/${PNAME}, or touch
+# /var/errata/${PNNN}.
+#
+# Example: After applying erratum 010 for 4.0, cp 010_m_dup1.patch
+# to /var/errata, cp 010_m_dup1.patch to /var/errata/010, touch
+# /var/errata/010_m_dup1.patch, or touch /var/errata/010 to indicate
+# that erratum 010 has been applied.
+#
+# It's strongly recommended to copy the full patch so this script can
+# detect future patch revisions.
+#
+# Caveats:
+#
+# Dependent on the structure and location of X.Y.tar.gz.
+# Does not check for errata from the ports collection.
+# Does not handle errata that do not have associated .patch files.
+# Remember to remove /var/errata/* after upgrading.
+#
+# Copyright (c) 2007 Kyle George [EMAIL PROTECTED]
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Cleanup temporaries
+cleanup()
+{
+ test -f ${ERRATA_TGZ_TMP_FILE} \
+rm -f ${ERRATA_TGZ_TMP_FILE}
+ test -d ${ERRATA_TGZ_TMP_DIR} \
+test $(dirname ${ERRATA_TGZ_TMP_DIR}) = /tmp \
+ rm -Rf ${ERRATA_TGZ_TMP_DIR}
+}
+
+# Terminate from error
+error()
+{
+ if [ X$1 != X ] ; then
+echo error: $1
+ else
+echo error: unexpected error
+ fi
+ exit 1
+}
+
+# Setup: Build file/path names/URLs and make temporary files/directories
+
+trap cleanup 0 1 2 3 13 15
+
+ERRATA_DIR=/var/errata
+ERRATA_TGZ_URL=ftp://XXX/pub/OpenBSD/patches/$(uname -r).tar.gz
+ERRATA_TGZ_TMP_DIR=$(mktemp -d /tmp/_errata_tgz_tmp_dir.XX) || error
+ERRATA_TGZ_TMP_FILE=$(mktemp /tmp/_errata_tgz_tmp_file.XX) || error
+
+# Make ERRATA_DIR if it doesn't exist
+
+if [ ! -d ${ERRATA_DIR} ] ; then
+ mkdir -m 755 ${ERRATA_DIR} || \
+error could not make errata directory
+fi
+
+# Download X.Y.tar.gz and extract
+
+lynx -source ${ERRATA_TGZ_URL} ${ERRATA_TGZ_TMP_FILE} 2 /dev/null
+
+if [ $? -ne 0 ] ; then
+ # Failed; maybe X.Y.tar.gz doesn't exist; let's check
+ ERRATA_TGZ_COUNT=$(($(
+lynx
Re: Important OpenBSD errata
On 18/03/2007, at 4:25 PM, Shawn K. Quinn wrote: On Sat, 2007-03-17 at 19:08 +0100, Karel Kulhavy wrote: I also suggest that the list include the cumulative amount for each donor, sorted so that the biggest donors are at the top. To me, this makes about as much sense as publishing a similar list for penis size (and whatever its female equivalent would be). Money is not the only way to contribute to a project. I agree. The value of a dollar differs a great deal between different people. Shane J Pearson shanejp netspace net au
Re: Important OpenBSD errata
Ray Percival ... attention had patched and been happy for nearly a week. The logic behind the misc posting is so very obvious that to bitch about it is just finding something to complain about. I, of course, don't know the exact numbers but it seems pretty clear that misc has a much larger subscriber base than security-announce. Given that it just makes sense to post this to the list where the most people are going to see it. misc goes into a separate folder security-announce straight to my inbox. misc I read only when I have the time to do so. what you see logical is not granted logical for others. -sm
Re: Important OpenBSD errata
On Thu, Mar 15, 2007 at 10:29:22PM -0600, Theo de Raadt wrote: Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein I was trying to decide if I should reply, and if so, how. I looked for your name on the donations list. I don't see it. Out of curiosity, when I bought several t-shirts at the kd85 shop in Belgium, does actually a part of it go to the donations list and do I pop there up with few dollars? I also suggest that the list include the cumulative amount for each donor, sorted so that the biggest donors are at the top. Personally, it would motivate me more. I would have a feeling of control what's actually done with my money. If Theo somehow published some breakdown of the spending, even better. If he actually assigned my donation to a concrete thing (i. e. Packet filter development,...), that would be even better. I would also have a motivation to compete for the topmost positions, with sending money as my weapon :) I could boast to my friends look I paid xxx of OpenBSD and I am the xth biggest donor and the packet filter you are using is actually paid from that. People are not computers, they decide based on emotions, and if you tune the psychological aspect of the thing you can induce better emotions without actually compromising your ideology. If other people think the same way like me, then Theo would start getting more donations if he changed to that system. Sometimes I wonder how much money goes to paying Theo's time, how much into paying other people like artists, how much into buying hardware, and if something of that isn't actually financed in an inefficient way. If I saw the real numbers, these concerns would probably vanish. CL But your quote makes it clear. I don't know what to say. I am trying to get past the first impression of you being a whining liar who quotes some fiction author. Give it up. He uses our software, and he's not worth the discussion.
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 04:23:00AM +, Karl O. Pinc wrote: No, but if security errata announcements arn't delivered in a fashion that delivers them to a human then they do no good. I should not be expected to peruse the misc@openbsd.org list to find errata announcements. OpenBSD says announcements will be made on security-announce when patches become available. This did not happen. Ergo, something is broken. I can't fix it. It may What about Charlie Root testing something remotely through cron and then send a reminder: A hole was found in OpenBSD, please follow instructions at http://www.openbsd.org/blahblah.html to fix it. That could be easy to implement, could use authentization to prevent spoof panic attacks, and would make sure even people who don't read mailing lists plug their holes in a timely fashion. CL
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 04:31:32AM +, Karl O. Pinc wrote: On 03/15/2007 10:48:49 PM, Ray Percival wrote: On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: I rely on having a clear channel for security related problems. The only communication problem here is that you don't look at the information that the project puts out there for you. The project says it will announce security errata on the security-announce list. I _am_ assuming this will be done in a timely fashion... This does not seem like an unreasonable assumption. It has to be timely otherwise some blackhat could craft a working exploit Internet worm and get an army of zombies for his unpopular activities. OpenBSD could get a negative media attention from this and people would have to wipe their systems and perform a clean install. Huge losses. That's something people generally don't want. The best would be if the administrator were prompted in that case regardless if he reads Slashdot, any mailing lists, bugtraq etc. CL
Re: Important OpenBSD errata
-- Bram, your gtodo is mentioned. On Fri, Mar 16, 2007 at 01:40:57AM -0400, Daniel Ouellet wrote: Karl O. Pinc wrote: On 03/15/2007 11:29:22 PM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. And what are the developers doing with their time? They give it to you and you have the got to complain on top of it! So, they should waist The users work as an army of testers and if something doesn't work, they report in in a form of complaint. That saves Theo the bug money needed to pay an army of beta testers like game companies do. On my Ronja project, complaints serve a good service. I get a complaint, extract useful information what needs to be fixed/improved, put it on my prioritized TODO list (http://www.stack.nl/~brama/projects/todo/) and forget about the complaint. The less experience user, the higher quality complaints he generates. More advanced users cannot spot some bugs in instruction manuals because their experienced brain automatically fills in. The least experienced generate good feedback even regarding the website structure, usability and ergonomy. The worst people are the too lazy to complain ones who manage to build a whole Ronja even while encountering 10 bugs and 20 ambiguities on the way and then they risk strange unreliabilities in their device. Sometimes bugs persist in the instruction manuals for long time because of these people. I can only recommend the mentioned gtodo program that's what makes difference for me between reacting neurotically to complaints and taking them easy. CL
Re: Important OpenBSD errata
I also suggest that the list include the cumulative amount for each donor, sorted so that the biggest donors are at the top. A few of us could get started with maintaining such data, but we'd get less othe done. Besides all the development discussions and such I am still falling behind by about 800-1000 emails a month because of the release cycle. Personally, it would motivate me more. I would have a feeling of control what's actually done with my money. If Theo somehow published some breakdown of the spending, even better. If he actually assigned my donation to a concrete thing (i. e. Packet filter development,...), that would be even better. I don't have a breakdown. Some simply pays the bills. Most pays the hackathons. Some pays for flights. Some stuff buys small bits of hardware. The sales money ensures that I don't have to go get another job, which would leave me with way less time to deal with an increasing developer community. I would also have a motivation to compete for the topmost positions, with sending money as my weapon :) I could boast to my friends look I paid xxx of OpenBSD and I am the xth biggest donor and the packet filter you are using is actually paid from that. The donation money does not pay for code that gets written. That code gets written because passionate people put their spare time into it. The best money can do is help get them to conferences or hackathons, or keep the electricity running so that there is a machine for them to commit to. People are not computers, they decide based on emotions, and if you tune the psychological aspect of the thing you can induce better emotions without actually compromising your ideology. If other people think the same way like me, then Theo would start getting more donations if he changed to that system. Doing things takes time. I choose not to do what you suggest, so that I have time to do things which I think are more important to the source tree. Sometimes I wonder how much money goes to paying Theo's time, how much into paying other people like artists, how much into buying hardware, and if something of that isn't actually financed in an inefficient way. If I saw the real numbers, these concerns would probably vanish. I don't even have any numbers. I could do 3 days of accounting per month to create some numbers, but that would be 3 days wasted.
Re: Important OpenBSD errata
Hi Karel, Out of curiosity, when I bought several t-shirts at the kd85 shop in Belgium, does actually a part of it go to the donations list and do I pop there up with few dollars? No. You make it on the donations list when you make a donation. As to your suggestions: don't expect them to become a reality anytime soon. However, I'd *love* to see you top the GoDaddy and Mozilla Foundation donations, as I am pretty sure would Theo, whom I hope will then make a public announcement right here. Go for it, Karel! :-) Be well... Nico
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 05:53:10AM +, Karl O. Pinc wrote: On 03/15/2007 11:55:44 PM, Kian Mohageri wrote: Security isn't about receiving notifications to your Inbox in a timely fashion. It is about being proactive yourself. You should be the one taking measures to secure your systems, and you should be the one ACTIVELY LOOKING for problems. Watching mailing lists isn't enough, and this was announced very early on the ERRATA page. Perhaps my problem is that until this thread it wasn't clear to me that the errata page was inherently more reliable than the mailing list. From a technical perspective I see no reason why either can't be equally reliable. How am I to know? There are so many points to refer to regarding security - Errata page, misc mailing list, security-announce, Slashdot. It's easy to get confused. The ergonomy of work is decreased. Decrease the ergonomy of work and your accident rate goes up. That means, more people failing to upgrade their system containing with security problem. CL
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 01:49:52AM -0500, Travers Buda wrote: * tony sarendal [EMAIL PROTECTED] [2007-03-16 06:03:49]: http://www.openbsd.org/mail.html --- *security-announce* Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.---Martin and Karl have valid points in their initial emails. /Tony S It's important to put yourself in Theo et al.'s shoes. Here's a group of people who write code for free, and then give it away for free. There's no serious cash inflow to enable them to do everything How do you know it's not serious? Does Theo publish the amounts anywhere? they want. The code can be used by anybody for whatever purpose, like: making money! And does that money ever find it's way back to OpenBSD? I'm talking about big corporations here. OpenSSH is in _everything_. It's only natural that OpenBSD should feel a sense of ingratitude... because there is ingratitude. To add insult to injury, people ask for more than what is freely offered. Example: this thread. If you want to see X feature, hire one of the developers. If you want to keep getting releases, pay Theo's hydroponics.. err That's a valid point if Theo took a joint, the negative emotions from his reactions might disapper. Holds not only for Theo. I am having a feeling that Theo is like a panhandler that plays a good music in a subway and when you throw him 1$ and notice his fly is down. He snaps and starts yelling at you that you should pay at least 10$ because his music is really good (which it actually is) and that his zipper is down because he's overworked. Instead of putting his zipper up. Jeez, Theo is a world OS programmer, I am sure his OS design skills are unequalled by most others, judging by the quality of the result. Why should he degrade himself into a role of a hysteric panhandler? I would suggest to implement some strategy to increase the cash flow. If it doesn't help, then going into the strict mode. Develop something, collect the donations and release only after you get covered. I think people will quickly get used to the fact that it's easier to pay a laughably small donation and then get a quality intellectual property into your ownership than pay a ridiculously high rent to a proprietary company and get a dubious quality product for it. CL electric bill. etc etc -- Travers Buda
Re: Important OpenBSD errata
On Mar 17, 2007, at 11:50 AM, Karel Kulhavy wrote: On Fri, Mar 16, 2007 at 05:53:10AM +, Karl O. Pinc wrote: On 03/15/2007 11:55:44 PM, Kian Mohageri wrote: Security isn't about receiving notifications to your Inbox in a timely fashion. It is about being proactive yourself. You should be the one taking measures to secure your systems, and you should be the one ACTIVELY LOOKING for problems. Watching mailing lists isn't enough, and this was announced very early on the ERRATA page. Perhaps my problem is that until this thread it wasn't clear to me that the errata page was inherently more reliable than the mailing list. From a technical perspective I see no reason why either can't be equally reliable. How am I to know? There are so many points to refer to regarding security - Errata page, misc mailing list, security-announce, Slashdot. It's easy to get confused. The ergonomy of work is decreased. Decrease the ergonomy of work and your accident rate goes up. That means, more people failing to upgrade their system containing with security problem. No. Everybody with a clue knows that there is two sources for good data. The errata page and source-changes. Everything else is just gravy or noise. Welcome to that club. Now you know everything you need to and just like the rest of OpenBSD it's simple, elegant, powerful, and very usable once you stop fighting the system and start using it. CL They do not preach that their God will rouse them a little before the nuts work loose.
Re: Important OpenBSD errata
Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein I was trying to decide if I should reply, and if so, how. I looked for your name on the donations list. I don't see it. Out of curiosity, when I bought several t-shirts at the kd85 shop in Belgium, does actually a part of it go to the donations list and do I pop there up with few dollars? I also suggest that the list include the cumulative amount for each donor, sorted so that the biggest donors are at the top. You are assuming that all things revolve around $$$. What about gifts-in-kind? There are instances where donations of professional services which have benefitted the project could easily (and significantly) outrank large cash donations. What's the book value of someone who donated hardware and provides the impetus to make new ports or to fix support for esoteric hardware? These things do not lend themselves to a linear scale of ranking. Thanks for being a jerk and attempting to marginalize the work done by a large number of people over the last 12+ years. Oh wait, that's what the donations list is... a list of who helped, roughly in order. Personally, it would motivate me more. I would have a feeling of control what's actually done with my money. If Theo somehow published some breakdown of the spending, even better. If he actually assigned my donation to a concrete thing (i. e. Packet filter development,...), that would be even better. I would also have a motivation to compete for the topmost positions, with sending money as my weapon :) I could boast to my friends look I paid xxx of OpenBSD and I am the xth biggest donor and the packet filter you are using is actually paid from that. Unless you're talking about Canadian or American monetary figures starting in the mid-5-digits, there's no way you'll be able to start to claim any form of significant sponsorship of any major new OpenBSD subsystem. Some donations actually go directly to paying for costs incurred in specific areas. Unfortunately, small donations might only go to paying for a portion of something. There are a number of recent examples of fund raising drives to get a particular piece of gear to a certain developer. People make donations for various reasons, but I've never heard of anyone wanting to claim that they ensured that the air baffles and extra power cable were in their name. People are not computers, they decide based on emotions, and if you tune the psychological aspect of the thing you can induce better emotions without actually compromising your ideology. If other people think the same way like me, then Theo would start getting more donations if he changed to that system. People buying things due to emotion alone is a recipe for a potential mess over the long-term. I won't go into a treatise on personal consumer debt and the fundamental motivations behind why people make decisions that are mostly clearly non-optimal. People who use OpenBSD and are active donors are more likely to be heavily rational and understand implicitly why they are putting money into the coffers. Sometimes I wonder how much money goes to paying Theo's time, how much into paying other people like artists, how much into buying hardware, and if something of that isn't actually financed in an inefficient way. If I saw the real numbers, these concerns would probably vanish. Wow. It's like you're doing due diligence work before purchasing a company. The issue is that OpenBSD isn't a company. It's essentially uses a finance model that is most easily described as cost recovery. There isn't a lot of surplus in the finances. If extras exist, they are redeployed, akin to a re-investment of profit in a company. This isn't Redhat, which is fully commercialized. There aren't fancy offices with frosted glass. There aren't receptionists. There's no mailroom. Actually, I'd suggest that the vast majority of open source projects are decidedly NOT like Redhat. They are still principally volunteer-run with a smattering of people who derive some form of salary or monetary remuneration. I'm going to explicitly use a portion of the script from A Few Good Men, a 1992 movie with Tom Cruise and Jack Nicholson. It clearly doesn't map directly and completely to OpenBSD but there are significant number of parallels in the words spoken by Nicholson's character that equally apply. If I need to explain what applies, then there are bigger problems. The references should be pretty much intuitively obvious. Col. Jessep: Son, we live in a world that has walls, and those walls have to be guarded by men with guns. Whose gonna do it? You? You, Lt. Weinburg? I have a greater responsibility than you could possibly fathom. You weep for Santiago, and you curse the marines. You have that luxury. You have the luxury of not knowing what I know. That Santiago's death, while tragic, probably saved lives. And my existence,
Re: Important OpenBSD errata
On Fri, 16 Mar 2007, Darren Spruell wrote: On 3/16/07, Martin Schrvder [EMAIL PROTECTED] wrote: [snip blah blah blah...] I want everyone trying to make that point to think of all the software vendors they deal with, including the commercial software vendors to whom you pay thousands (and depending on the size of your organization, millions) of dollars to per year. Can you say that you get SMTP notifications from all of them? The answer, if you're in any situation resembling what I've been in for the last decade, is no. To focus this even more, I managed some VAX/VMS machines in the 1980's, supporting about a half dozen aero engineers and programmers. The software support contract for VMS ran me around 5-7 thousand USD a year, in the dollars of the day, say $15K/yr in current money, which got us mailed magtapes when there were bug fixes or new versions, and great boxes of paper when the documentation changed. This was not the most extreme level of support available, which would have included a field engineer to come around and patch the systems within 24 hrs or such. This did not include support for such extras as the Fortran, C or Pascal compilers or other fluff. This did not include the VMS license itself, just the support on it. And, at that time, Digital was considered a responsive, cost-effective solution, and it was. With OpenBSD, I get a system that is at least as robust, much more capable, but with support that fixes bugs before I hear of them. (And I listen.) I get this for almost nothing. Digital actually warranteed their software (unheard of these days, at least in the PeeCee world), i.e. if it didn't work, you'd get it fixed, and quickly. OpenBSD doesn't warrantee anything, but they fix things as fast as Digital used to (24-48 hrs). Did I mention what a VAX/VMS source code license cost? I seem to recall 100K$ being mentioned. I get a kick out of people who are too slack to spend the two hours of reading and twenty minutes of unattended execution time it takes to CVS or patch a kernel and compile it. I would have killed to have the VMS kernel sources. Dave
Re: Important OpenBSD errata
On Sat, Mar 17, 2007 at 11:43:47AM +1100, fonkprop wrote: Yet again, we see that although Theo is willing to beg, wheedle and threaten his user community into sending him money when he needs it, he holds them in too much contempt to respond to simple, uncontroversial and valid criticism. On 3/16/07, Theo de Raadt [EMAIL PROTECTED] wrote: Let's see... the fsck_ffs fix pedro commited a few hours ago. That fixes a serious problem where fsck fails to spot filesystem corruption. Should we spend time fully assessing how rare or common this situation is, and then errata it up the stream as fast as possible, maybe even consider if there are security risks from such filesystem corruption? Come on. What a bullshit argument. When you realised the problem was serious enough to update the homepage to say only two remote holes... you should also have sent out an email to security-announce. You had time to send an announcement to misc - not sending one to the list your project specifically created for just this type of situation means, quite simply, that you fucked up. You fucked up, Theo. Do it right next time, or de-commission the security-announce mailing list for once and for all. The fact that you can't get a simple thing like this right really makes me wonder about the wisdom of relying on OpenBSD for real-world use... The minute someone moans for a posting to the security-announce list they have removed any desire from me to do so. And the same comes for any other errata. What a completely fucking stupid, border-line insane thing to say. Let's get this straight - your project sets up a security announcement list specifically for announcements on vulnerabilities and patches. You then proceed to ignore it completely for one of the most serious OpenBSD security problems in the last decade. But no-one is allowed to actually say anything about this because if they do you'll not use it JUST TO SPITE US. You, sir, are a childish, immature cock. If people on our mailing list are going to be such jerks about patches which we do make available, then maybe we'll spend a whole lot less effort making errata and updating -stable. The whole concept of being subserviant towards a community of jerks is not realistitic. You know, Theo, it makes me fucking sick to see you treat the community of people who support your project and pay your wage like this. It makes me even sicker to see the crowds of shrill, stupid fanboys on this list who are so pathetically eager to agree with you that that they support even your most unreasonable, childish and frankly stupid statements. You are a goddam hypocrite - either you do OpenBSD purely for yourself and the other I don't think Theo is a hypocrite he makes otherwise a highly consistent behaviour impression on me. To me it looks like a slippage caused by an external factor. There's a problem and it has to be found and fixed. Theo, how much time do you sleep in average per night? Aren't you overworked? Don't you have some kind of family problem (relationship, death, serious disease)? Don't you you get too little money in donations and feel stressed by it? Or some other kind of cockup in your life? We need to understand that OpenBSD is a unique operating system - it's free, very complicated, AND and proper care is taken in design and programming. That must be very demanding on the developers. CL developers (in which case I will stop financially supporting the project, and everyone else should too) or you recognise that what really keeps OpenBSD going is the group of people that advocate OpenBSD, use it in the real world, and buy your goddamn CDs and t-shirts to keep you going... The idiots on misc that support you when you treat your users this badly aren't the real friends of OpenBSD.
Re: Important OpenBSD errata
christ. buddha. the thread that would not die. i invoke godwins law in a (probably ) unsuccessful attempt to end the insanity: nazi nazi holocaust, nazi. On Mar 17, 2007, at 12:09 PM, Karel Kulhavy wrote: something useless and inflammatory [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Important OpenBSD errata
I get a kick out of people who are too slack to spend the two hours of reading and twenty minutes of unattended execution time it takes to CVS or patch a kernel and compile it. Some of these people clearly think they are entitled. But they are not entitled. Nothing entitles them to anything. There is no contract, there is no promise, there is nothing, nothing, nothing, and nothing. They should just be thankful. If they continue to be so rude, they'll get less. They won't get more -- they'll get less. It's not human nature to give more to jerks.
Re: Important OpenBSD errata
Ray Percival writes: No. Everybody with a clue knows that there is two sources for good data. The errata page and source-changes. I'd like to add undeadly's RSS here, since I don't think anyone has mentioned it yet. There are two RSS feeds that would have alerted people to this: one for stories themselves (and we published the story as soon as that erratum went in) and one for errata in general. http://undeadly.org/cgi?action=rss http://undeadly.org/cgi?action=errata Well, *I* think it's a reliable source. :)
Re: Important OpenBSD errata
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 17, 2007, at 1:00 PM, Karel Kulhavy wrote: On Sat, Mar 17, 2007 at 11:43:47AM +1100, fonkprop wrote: Yet again, we see that although Theo is willing to beg, wheedle and threaten his user community into sending him money when he needs it, he holds them in too much contempt to respond to simple, uncontroversial and valid criticism. On 3/16/07, Theo de Raadt [EMAIL PROTECTED] wrote: Let's see... the fsck_ffs fix pedro commited a few hours ago. That fixes a serious problem where fsck fails to spot filesystem corruption. Should we spend time fully assessing how rare or common this situation is, and then errata it up the stream as fast as possible, maybe even consider if there are security risks from such filesystem corruption? Come on. What a bullshit argument. When you realised the problem was serious enough to update the homepage to say only two remote holes... you should also have sent out an email to security-announce. You had time to send an announcement to misc - not sending one to the list your project specifically created for just this type of situation means, quite simply, that you fucked up. You fucked up, Theo. Do it right next time, or de-commission the security-announce mailing list for once and for all. The fact that you can't get a simple thing like this right really makes me wonder about the wisdom of relying on OpenBSD for real-world use... The minute someone moans for a posting to the security-announce list they have removed any desire from me to do so. And the same comes for any other errata. What a completely fucking stupid, border-line insane thing to say. Let's get this straight - your project sets up a security announcement list specifically for announcements on vulnerabilities and patches. You then proceed to ignore it completely for one of the most serious OpenBSD security problems in the last decade. But no-one is allowed to actually say anything about this because if they do you'll not use it JUST TO SPITE US. You, sir, are a childish, immature cock. If people on our mailing list are going to be such jerks about patches which we do make available, then maybe we'll spend a whole lot less effort making errata and updating -stable. The whole concept of being subserviant towards a community of jerks is not realistitic. You know, Theo, it makes me fucking sick to see you treat the community of people who support your project and pay your wage like this. It makes me even sicker to see the crowds of shrill, stupid fanboys on this list who are so pathetically eager to agree with you that that they support even your most unreasonable, childish and frankly stupid statements. You are a goddam hypocrite - either you do OpenBSD purely for yourself and the other I don't think Theo is a hypocrite he makes otherwise a highly consistent behaviour impression on me. To me it looks like a slippage caused by an external factor. There's a problem and it has to be found and fixed. Theo, how much time do you sleep in average per night? Aren't you overworked? Don't you have some kind of family problem (relationship, death, serious disease)? Don't you you get too little money in donations and feel stressed by it? Or some other kind of cockup in your life? We need to understand that OpenBSD is a unique operating system - it's free, very complicated, AND and proper care is taken in design and programming. That must be very demanding on the developers. You need to FOAD and stop being an insulting little twat. This is nothing more and nothing less than the same frustration and rage that every working admin and coder in the world feels. It's not an accident that the BOFH is central to our culture in many ways. :) You can like it or not. We don't give a shit. Go ahead use the code that's what it's there for. But FFS stop trying to change our culture just because you don't like it. We love it and it's ours. Or if you really hate it. Go the fuck away. You will not be mourned or missed. You are a luser of the worst kind. To deny a man the right to blow off steam or to start insulting him because he does is just sick and wrong. So stop it. Now. CL developers (in which case I will stop financially supporting the project, and everyone else should too) or you recognise that what really keeps OpenBSD going is the group of people that advocate OpenBSD, use it in the real world, and buy your goddamn CDs and t-shirts to keep you going... The idiots on misc that support you when you treat your users this badly aren't the real friends of OpenBSD. They do not preach that their God will rouse them a little before the nuts work loose. iD8DBQFF/Fwj5B7p9jYarz8RAjjLAJ4ockK+w3JFQQtCdeaZ0XvAuawU9QCgoOPm gql5uZkp9G58bxHcork= =by3C -END PGP SIGNATURE-
Re: Important OpenBSD errata
On Sat, Mar 17, 2007 at 08:43:57PM +, Deanna Phillips wrote: Ray Percival writes: No. Everybody with a clue knows that there is two sources for good data. The errata page and source-changes. I'd like to add undeadly's RSS here, since I don't think anyone has mentioned it yet. There are two RSS feeds that would have alerted people to this: one for stories themselves (and we published the story as soon as that erratum went in) and one for errata in general. http://undeadly.org/cgi?action=rss http://undeadly.org/cgi?action=errata Well, *I* think it's a reliable source. :) I actually did bring this up yesterday(?), but you've done a better job and given links. :) -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/darrin/ |
Re: Important OpenBSD errata
* Karel Kulhavy [EMAIL PROTECTED] [2007-03-17 19:47:00]: It would be better if OpenBSD could be maintained secure even without a skilled security professional. Today's trend is that things are accomodated to ordinary people. You don't need a driver anymore to professionally drive your car. You don't need to understand how the engine works anymore to operate the car properly. You don't need to understand megahertz anymore to tune your TV set. Are you kidding me? OpenBSD does everything for you! Hardware and software shipped with the system works right out of the box. The documentation is complete, so you don't need to google for basic man pages. And don't even get me started on the 2.4 radio support. Kismet just works. You don't have to track down some crazy linux kernel patch, make sure you have all the right modules loaded, etc. The installer is sparse, and it's a good thing. You partition the disks, extract the OS and set your root password. It's all very simple. You've probably noticed this stuff, well, the security works just the same. You don't have to do anything to make the system more secure. You can only reverse that. OpenBSD is the easiest operating system I have ever worked with. -- Travers Buda
Re: Important OpenBSD errata
Travers Buda wrote: * Karel Kulhavy [EMAIL PROTECTED] [2007-03-17 19:47:00]: It would be better if OpenBSD could be maintained secure even without a skilled security professional. Today's trend is that things are accomodated to ordinary people. You don't need a driver anymore to professionally drive your car. You don't need to understand how the engine works anymore to operate the car properly. You don't need to understand megahertz anymore to tune your TV set. Are you kidding me? OpenBSD does everything for you! Hardware and software shipped with the system works right out of the box. The documentation is complete, so you don't need to google for basic man pages. And don't even get me started on the 2.4 radio support. Kismet just works. You don't have to track down some crazy linux kernel patch, make sure you have all the right modules loaded, etc. The installer is sparse, and it's a good thing. You partition the disks, extract the OS and set your root password. It's all very simple. You've probably noticed this stuff, well, the security works just the same. You don't have to do anything to make the system more secure. You can only reverse that. OpenBSD is the easiest operating system I have ever worked with. You're both right! The security Karel describes, in the most ideal of plausible scenarios, would be the security of the automobile: it's pretty secure against dolts, but experts can still steal it. And Travers is right that it's the easiest. Because it's the simplest and most thematically coherent. Which is the best hope for the amateur secure systems buff. -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Re: Important OpenBSD errata
On Sat, 2007-03-17 at 19:08 +0100, Karel Kulhavy wrote: I also suggest that the list include the cumulative amount for each donor, sorted so that the biggest donors are at the top. To me, this makes about as much sense as publishing a similar list for penis size (and whatever its female equivalent would be). Money is not the only way to contribute to a project. -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Important OpenBSD errata
It is not just an implication, that's exactly what it said: receives OpenBSD security advisories and pointers to security patches as they become available. If I tell you that I'll give you fries as they become available what would you think I am saying? It is really simple English and as there is a lot to read, no one is going to examine each and every single word to pull apart the semantics and implications or whatever, people are just going to read it and take what it says. 2007/3/16, Lars Hansson [EMAIL PROTECTED]: On Fri, 16 Mar 2007 06:03:49 + tony sarendal [EMAIL PROTECTED] wrote: http://www.openbsd.org/mail.html --- *security-announce* Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.---Martin and Karl have valid points in their initial emails. Only it doesn't actually say how timely it is supposed to be or even that all advisories and patches will have a corresponding email. Sure, you could say it's implied but it's sure not spelled out and the OpenBSD project isn't exactly overflowing with personell. But maybe Karl and Martin are volunteering to maintain security-announce. -- Lars Hansson [EMAIL PROTECTED] -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Important OpenBSD errata
On Fri, 16 Mar 2007 18:03:02 +1100 Sunnz [EMAIL PROTECTED] wrote: If I tell you that I'll give you fries as they become available what would you think I am saying? Unless it's your job to give them to me now and I have paid you to do so I'd expect to get them whenever you have them and feel like giving me some. -- Lars Hansson [EMAIL PROTECTED]
Re: Important OpenBSD errata
2007/3/16, Travers Buda [EMAIL PROTECTED]: * tony sarendal [EMAIL PROTECTED] [2007-03-16 06:03:49]: of ingratitude... because there is ingratitude. To add insult to injury, people ask for more than what is freely offered. Example: this thread. Are people really asking for more than what is freely offered? The web page says security advisories and pointers are posted on the security-announce list as they become available. The web site is part of the project, which offers an OS and mailing lists. If the OS is not there you would expect people ask about it, wouldn't you? If you want to see X feature, hire one of the developers. If you want to keep getting releases, pay Theo's hydroponics.. err electric bill. etc etc But this is NOT a missing feature, the feature is there, but it is not working as what the doc say it should be. -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Important OpenBSD errata
But if you see fries do become available wouldn't you ask me what happened? Yes I may have no obligation to give you fries, but since I said I will give you the fries when they become available, should I not expect you to ask me what's went wrong with my offering? 2007/3/16, Lars Hansson [EMAIL PROTECTED]: On Fri, 16 Mar 2007 18:03:02 +1100 Sunnz [EMAIL PROTECTED] wrote: If I tell you that I'll give you fries as they become available what would you think I am saying? Unless it's your job to give them to me now and I have paid you to do so I'd expect to get them whenever you have them and feel like giving me some. -- Lars Hansson [EMAIL PROTECTED] -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Important OpenBSD errata
On 16/03/07, Travers Buda [EMAIL PROTECTED] wrote: * tony sarendal [EMAIL PROTECTED] [2007-03-16 06:03:49]: http://www.openbsd.org/mail.html --- *security-announce* Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.---Martin and Karl have valid points in their initial emails. /Tony S It's important to put yourself in Theo et al.'s shoes. Here's a group of people who write code for free, and then give it away for free. There's no serious cash inflow to enable them to do everything they want. The code can be used by anybody for whatever purpose, like: making money! And does that money ever find it's way back to OpenBSD? I'm talking about big corporations here. OpenSSH is in _everything_. It's only natural that OpenBSD should feel a sense of ingratitude... because there is ingratitude. To add insult to injury, people ask for more than what is freely offered. Example: this thread. If you want to see X feature, hire one of the developers. If you want to keep getting releases, pay Theo's hydroponics.. err electric bill. etc etc I don't see how your excuses apply here. If Theo made a mistake by not sending Cc'ing security-announce that is ok, he is only human. This can be corrected in the future by either sending it to that list or changing the website. /Tony S -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: Important OpenBSD errata
Karl O. Pinc [EMAIL PROTECTED] writes: On 03/15/2007 11:04:49 PM, Jeremy Huiskamp wrote: That's what I was going to say. If you did things properly, you would have had this patch applied before you knew that it was a remote hole. You have a valid point: any bug is a security problem. However, the topic is not my management practices and the tradeoffs involved therein. The topic is the efficacy of the security-announce list. If I knew security-announce was broken I could write a screen-scraper to check the errata page for me. Any bug is a security problem. Let's forward source-changes to security-announce. //art
Re: Important OpenBSD errata
On Tue, Mar 13, 2007 at 04:46:26PM -0600, Theo de Raadt wrote: This means everyone should have our latest patches installed. [...] *Solution/Vendor Information/Workaround* The OpenBSD team has released a security fix to correct the mbuf problem, it is available as a source code patch for OpenBSD 4.0 and 3.9 here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch The patch can also be applied to previous versions of OpenBSD. Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? I have never compiled OpenBSD, ports etc. and don't have time to study all the theory around OpenBSD - I am sure if I attempt to recompile my system, I could easily screw it up completely. CL
Re: Important OpenBSD errata
On 3/16/07, Lars Hansson [EMAIL PROTECTED] wrote: On Fri, 16 Mar 2007 18:03:02 +1100 Sunnz [EMAIL PROTECTED] wrote: If I tell you that I'll give you fries as they become available what would you think I am saying? Unless it's your job to give them to me now and I have paid you to do so I'd expect to get them whenever you have them and feel like giving me some. Yeah. Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. They could have asked if there was a reason it wasn't sent to security-announce@ instead of misc@, rather than saying This is terrible handling of a bug after it was fixed almost immediately. Seems some people spend very little time thanking the developers for the immediate fix and instead go straight to suggestions on how to handle their project better. -- Kian Mohageri
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 02:31:09AM +, Karl O. Pinc wrote: I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement, some low-traffic announce list that goes right into my inbox is where this stuff belongs. I rely on having a clear channel for security related problems. OpenBSD's excellent reputation is what allows me to sell it to my clients, which allows me to work with OpenBSD. I've always used the proactive, transparent, and forthright tone of OpenBSD related communication as a selling point. This is the first time I've felt let down and I hope it's the last. sorry, you sell OpenBSD to your clients without looking at the errata? without following the latest changes? just wondering, reyk
Re: Important OpenBSD errata
On Wed, Mar 14, 2007 at 05:45:39PM +0100, Tom Van Looy wrote: What about: Release Mode: FORCED RELEASE? This is about the exploit, right? And not the advisory. Why isn't anything written on the title page openbsd.org? Having a remote root exec proof of concept is not enough to ask the users to promptly reinstall their faulty kernel? For how many years has this remote exploit been in the kernel? CL
Re: Important OpenBSD errata
2007/3/16, Kian Mohageri [EMAIL PROTECTED]: Yeah. Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. They could have asked if there was a reason it wasn't sent to security-announce@ instead of misc@, rather than saying This is terrible handling of a bug after it was fixed almost immediately. It _was_ fixed quite fast; the released patch took another 10 days (granted, waiting for PoC is understandable). What was lacking is what Core critised: This was not seen as a security problem right along, instead it took a PoC _exploit_ before we all got a warning by Theo, and even that warning was _not_ on the designated channel (security-announce). I've said it before: security-announce is broken. Either fix it (shouldn't really be too hard and takes less time than reading this thread) or delete it and point to source-changes instead. I'm annoyed that the handling let to many negative press for the project. We can do better. But Theo seems to think everything is fine. Best Martin
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 09:54:16AM +0100, Karel Kulhavy wrote: On Tue, Mar 13, 2007 at 04:46:26PM -0600, Theo de Raadt wrote: This means everyone should have our latest patches installed. *Solution/Vendor Information/Workaround* The OpenBSD team has released a security fix to correct the mbuf problem, it is available as a source code patch for OpenBSD 4.0 and 3.9 here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch The patch can also be applied to previous versions of OpenBSD. Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? I have never compiled OpenBSD, ports etc. and don't have time to study all the theory around OpenBSD - I am sure if I attempt to recompile my system, I could easily screw it up completely. Not really. Someone here could provide you with a kernel, but you'd have to trust that person not to put any backdoors in. Compiling -stable is not that difficult, really. It does require some disk space, but once you have sufficient space it's quite easy. Joachim
Re: Important OpenBSD errata
2007/3/16, Theo de Raadt [EMAIL PROTECTED]: I don't know what to say. I am trying to get past the first impression of you being a whining liar who quotes some fiction author. Theo, is flaming all you have to say in this thread? Seriously: Do you think this bug was handled in the right way? Best Martin
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 09:54:16AM +0100, Karel Kulhavy wrote: Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? I have never compiled OpenBSD, ports etc. and don't have time to study all the theory around OpenBSD - I am sure if I attempt to recompile my system, I could easily screw it up completely. You don't have time to figure out how to install the system source and compile the kernel, but you do have time to read this list and ask for ridiculous alternatives? Tor
Re: Important OpenBSD errata
2007/3/16, Lars Hansson [EMAIL PROTECTED]: OpenBSD project isn't exactly overflowing with personell. But maybe Karl and Martin are volunteering to maintain security-announce. I'd be willing to do that (forward erratas to security-announce), but let's not forget that OpenBSD is a dictatorship, i.e. it's for Theo to decide. Best Martin
Re: Important OpenBSD errata
Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? Yes, if you have a copy of the kernel from someone you trust to provide it. I have never compiled OpenBSD, ports etc. No need to compile all of OpenBSD. 1. If you don't have 4.0 kernel source code installed already, follow the section 'Pre-loading the tree' to install sys.tar.gz; http://www.openbsd.org/faq/faq5.html#BldGetSrc. 2. Apply the patch. 3. Follow http://www.openbsd.org/faq/faq5.html#Building There are no official sources for binaries. OpenBSD supports 17 hardware platforms, so that's another *34* build machines to power, cool, house, admin and repair, to produce binaries for the two supported releases.
Re: Important OpenBSD errata
Karel Kulhavy wrote: On Tue, Mar 13, 2007 at 04:46:26PM -0600, Theo de Raadt wrote: This means everyone should have our latest patches installed. [...] *Solution/Vendor Information/Workaround* The OpenBSD team has released a security fix to correct the mbuf problem, it is available as a source code patch for OpenBSD 4.0 and 3.9 here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch The patch can also be applied to previous versions of OpenBSD. Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? I have never compiled OpenBSD, ports etc. and don't have time to study all the theory around OpenBSD - I am sure if I attempt to recompile my system, I could easily screw it up completely. I added block quick inet6 to pf.conf. I obviously do not use IPv6. However, you should probably learn how to follow -STABLE or patch your system. Fire up a test machine on some old hardware. It really is not that hard if you follow the FAQ and the man pages. The kernel is really a piece of cake to compile, following config(8). I may be biased, though. :) /Alexander
Re: Important OpenBSD errata
Hi I have donated, my hard earned. I don't involve myself commercially in OBSD but I listen. This is idiotic, a big hole was found and the devs pissed about because they didn't want to admit it. OBSD's strength is in being open, be open. Move on and end this. Theo, chill out. Cheers Rich On 16/03/07, Martin Schrvder [EMAIL PROTECTED] wrote: 2007/3/16, Lars Hansson [EMAIL PROTECTED]: OpenBSD project isn't exactly overflowing with personell. But maybe Karl and Martin are volunteering to maintain security-announce. I'd be willing to do that (forward erratas to security-announce), but let's not forget that OpenBSD is a dictatorship, i.e. it's for Theo to decide. Best Martin
Re: Important OpenBSD errata
On Fri, 16 Mar 2007, Joachim Schipper wrote: On Fri, Mar 16, 2007 at 09:54:16AM +0100, Karel Kulhavy wrote: On Tue, Mar 13, 2007 at 04:46:26PM -0600, Theo de Raadt wrote: This means everyone should have our latest patches installed. *Solution/Vendor Information/Workaround* The OpenBSD team has released a security fix to correct the mbuf problem, it is available as a source code patch for OpenBSD 4.0 and 3.9 here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch The patch can also be applied to previous versions of OpenBSD. Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? I have never compiled OpenBSD, ports etc. and don't have time to study all the theory around OpenBSD - I am sure if I attempt to recompile my system, I could easily screw it up completely. Not really. Someone here could provide you with a kernel, but you'd have to trust that person not to put any backdoors in. Compiling -stable is not that difficult, really. It does require some disk space, but once you have sufficient space it's quite easy. Joachim Joachim, This guy doesn't want to do anything, read docs, compile a kernel, compile the system etc. Perhaps he would be better off running something else? John.
Re: Important OpenBSD errata
On 2007/03/16 11:02, Alexander Hall wrote: I added block quick inet6 to pf.conf. I obviously do not use IPv6. IPv6 link-local (which doesn't need any configuration, it's enabled by default) can be a useful backup to have in the event of accidentally breaking IPv4 (missing 'alias' to ifconfig(8) is always a favourite). You can easily locate other hosts on the segment with the handy 'ping6 -w ff02::1%sk0' (where sk0 is the interface name) that Brad mentioned in relation to testing multicast..
Re: Important OpenBSD errata
On Fri, 16 Mar 2007 21:22:58 +1100 Richard Thornton [EMAIL PROTECTED] wrote: This is idiotic, a big hole was found and the devs pissed about because they didn't want to admit it. Say what? Didn't want to admit it? In what alternative universe was this? OBSD's strength is in being open, be open. Yeah, it's so closed the source patch was available 10 days ago... Move on and end this. That's good advice though. -- Lars Hansson [EMAIL PROTECTED]
Re: Important OpenBSD errata
This is idiotic, a big hole was found and the devs pissed about because they didn't want to admit it. Noone in OpenBSD is pissed off about this. We posted the bug fix as soon as we became aware of the problem. The timeline goes like this: 1) We were told there was a mbuf crash, which could remotely CRASH the machine. There was no proof that more could be done, not even a whiff. 2) We commited the fix, about 24 hours later. It took a few days to get the errata up because the people who do that were at a conference. It was labelled as a RELIABILITY FIX because everyone felt it was just a CRASH. I then entered into a long conversation with Core explaining why we label crash fixes (even remote) as RELIABILITY FIXES. 3) Core felt maybe something more could be done and continued working, and ONE WEEK LATER later, finally managed to show us brand new code which showed that intrusion was possible. Before that moment, it was still just confirmed to be a CRASH. 4) A few hours after we become aware that it was more than a CRASH, we changed the advisory to say it was a real security risk. We first had to get the patch into -stable, I changed index.html to talk about there being TWO remote holes in more than 10 years, without even discussing this with any other developer, because I knew it was true. Other developers in the group were stunned to see me change it. 5) Core decided that their advisory should include their interpretation of our discussion as to why OpenBSD labels crash fixes as RELIABILITY FIXES. Three times I told them that I thought that was a mistake, and that the public would not understand the reasoning as they wrote it. That is what happened. If you don't believe me, mail Ivan Arce at Core and ask him if any of the 5 points above are wrong. Come on, go ask him if I am a liar... go ahead. Yes, some of the press got it wrong too, and part of that I feel is Ivan Arce's fault. He should have been more cautious at explaining the complex discussion OpenBSD had with Core, where we explained why we label errata for remote crashes a Reliability Fix. Or he should have skipped it altogether. He even went around telling the press that this shows that IPV6 is a risky new technology, when the fact is that this was a mbuf corruption bug, in code that all parts of the network stack could potentially use in the same way. He's got his layers wrong. But finding bugs in other people's software lets companies like Core sell themselves as experts. They are experts, but the good press they get should not cost us in this way. Let's see... the fsck_ffs fix pedro commited a few hours ago. That fixes a serious problem where fsck fails to spot filesystem corruption. Should we spend time fully assessing how rare or common this situation is, and then errata it up the stream as fast as possible, maybe even consider if there are security risks from such filesystem corruption? Come on. Yet that is what some non-experts moan for. They want projects with only a few people (who are doing this for a hobby) to struggle down these well-defined paths that their little brains can understand. They don't understand all the other things that developers do, so they wish to cubby-hole us into these procedures. In the last 10 years they have not gotten us to behave so, and in the next 10 years it won't happen either. The reality is that people don't hold their own mothers as accountable as they are trying to do here with us, yelling conspiracy, downplay, etc. The minute someone moans for a posting to the security-announce list they have removed any desire from me to do so. And the same comes for any other errata. If people on our mailing list are going to be such jerks about patches which we do make available, then maybe we'll spend a whole lot less effort making errata and updating -stable. The whole concept of being subserviant towards a community of jerks is not realistitic. Move on and end this. Theo, chill out. I've been chill the entire time. If I have not been around much on the lists, it is because I'm getting 4.1 out the door. I really don't understand why a few people have to be assholes about this. Go fix the problems in your own lives first...
Re: Important OpenBSD errata
On Mar 16, 2007, at 6:20 AM, John Gould wrote: On Fri, 16 Mar 2007, Joachim Schipper wrote: Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? I have never compiled OpenBSD, ports etc. and don't have time to study all the theory around OpenBSD - I am sure if I attempt to recompile my system, I could easily screw it up completely. Not really. Someone here could provide you with a kernel, but you'd have to trust that person not to put any backdoors in. You're welcome to use my unsupported -stable kernel that I make available for aac users. Please read the aac.README for more details. http://colo2.dixongroup.net/releases/unsupported/4.0-stable-20070314/ i386/ P.S. As Joachim mentions, you have to trust the person who distributes the code. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Important OpenBSD errata
On 16/03/07, Almir Karic [EMAIL PROTECTED] wrote: is this a second remote hole in default install? -- almir http://www.openbsd.org/
Re: Important OpenBSD errata
On 03/16/2007 02:51:48 AM, Kian Mohageri wrote: Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. I did not intend to be condesending and apologise if it was taken that way. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On Fri, 16 Mar 2007, Jason Dixon wrote: You're welcome to use my unsupported -stable kernel that I make available for aac users. Please read the aac.README for more details. http://colo2.dixongroup.net/releases/unsupported/4.0-stable-20070314/i386/ P.S. As Joachim mentions, you have to trust the person who distributes the code. -- Jason Dixon I would never trust Jason. ;-) diana PS Besides the aac stuff I noticed marc-20070203. What is marc?
Re: Important OpenBSD errata
2007/3/16, Karl O. Pinc [EMAIL PROTECTED]: On 03/16/2007 02:51:48 AM, Kian Mohageri wrote: Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. I did not intend to be condesending and apologise if it was taken that way. Same here. It was a statement of facts. Best Martin
Re: Important OpenBSD errata
On Mar 16, 2007, at 9:53 AM, Diana Eichert wrote: On Fri, 16 Mar 2007, Jason Dixon wrote: You're welcome to use my unsupported -stable kernel that I make available for aac users. Please read the aac.README for more details. http://colo2.dixongroup.net/releases/unsupported/4.0- stable-20070314/i386/ P.S. As Joachim mentions, you have to trust the person who distributes the code. -- Jason Dixon I would never trust Jason. ;-) Thank goodness, it means less work for me. :D diana PS Besides the aac stuff I noticed marc-20070203. What is marc? Nothing to see here, move along. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Important OpenBSD errata
PS Besides the aac stuff I noticed marc-20070203. What is marc? MARC is a top secret project only US government agencies and their contractors know about. The name stands for : Moderately Advanced Rumours Creator and is being used as part of an evil conspiracy to reduce the signal/noise ratio of mailing lists. (Of course, some lists like this one do not need help to maintain a low s/n ratio, but there are some things conspirationnists can never understand). Miod
Re: Important OpenBSD errata
* tony sarendal [EMAIL PROTECTED] [2007-03-16 08:15:18]: I don't see how your excuses apply here. I can't help this =) : I noticed your quote about metaphysics. Well it's metaphysically ridiculous to even expect excuses from people who owe you nothing. If Theo made a mistake by not sending Cc'ing security-announce that is ok, he is only human. This can be corrected in the future by either sending it to that list or changing the website. If you look at security-announce@, it follows a special format. Theo is busy. There's the 4.1 release. And I'm sure Theo does other things besides OpenBSD. -- Travers Buda
Re: Important OpenBSD errata
On Fri, 16 Mar 2007, Miod Vallat wrote: PS Besides the aac stuff I noticed marc-20070203. What is marc? MARC is a top secret project only US government agencies and their contractors know about. The name stands for : Moderately Advanced Rumours Creator and is being used as part of an evil conspiracy to reduce the signal/noise ratio of mailing lists. (Of course, some lists like this one do not need help to maintain a low s/n ratio, but there are some things conspirationnists can never understand). Miod Ah, shucky darn, I thought it was a special custom kernel being developed for MARC, the mailing list archive. You sure kernel support for MySQL isn't getting developed? The rumor I'd heard was kernel level MySQL calls were getting added on the 1st of next month. diana
Re: Important OpenBSD errata
Miod Vallat wrote: PS Besides the aac stuff I noticed marc-20070203. What is marc? MARC is a top secret project only US government agencies and their contractors know about. The name stands for : Moderately Advanced Rumours Creator and is being used as part of an evil conspiracy to reduce the signal/noise ratio of mailing lists. (Of course, some lists like this one do not need help to maintain a low s/n ratio, but there are some things conspirationnists can never understand). we better contact jim_dandey about this whole MARC thing. looks like he got his acronym wrong. what was that about the signal to noise rab click From: james dandey jim_dandey at yahoo.com Subject: tampering with suspect's cars http://news.gmane.org/find-root.php?message_id=%3c20061125002915.26331.qmail%40web52310.mail.yahoo.com%3e Newsgroups: gmane.os.openbsd.misc http://news.gmane.org/gmane.os.openbsd.misc, gmane.network.freeswan.user http://news.gmane.org/gmane.network.freeswan.user Date: 2006-11-25 00:29:15 GMT (15 weeks, 6 days, 15 hours and 14 minutes ago) In the San *Francisco* bay area the F--B-I tamper with suspects *car*s. They put an oily substance in my windshield waasher, loosened suspension components, removed wheel weights, put nails in tires,etc.. Has any of his happened in Huntsville alabama? I have often warned the corrupt tails that tampering with my *car* is going to lead to the injury/death of non-involved people. The F-B-I poison the pets owned by suspects. The F-B-I steal from suspects. The F-Bi use gang members to harras suspects. Miod
Re: Important OpenBSD errata
On 3/16/07, Travers Buda [EMAIL PROTECTED] wrote: * tony sarendal [EMAIL PROTECTED] [2007-03-16 08:15:18]: I don't see how your excuses apply here. I can't help this =) : I noticed your quote about metaphysics. Well it's metaphysically ridiculous to even expect excuses from people who owe you nothing. If Theo made a mistake by not sending Cc'ing security-announce that is ok, he is only human. This can be corrected in the future by either sending it to that list or changing the website. If you look at security-announce@, it follows a special format. Theo is busy. There's the 4.1 release. And I'm sure Theo does other things besides OpenBSD. And to all those bitchers and whiners, does it make you feel important to state the fucking obvious? I hope not, generally I feel important when I come up with a suggestion no one else has thought of (which isn't often). Greg
Re: Important OpenBSD errata
On 3/16/07, Martin Schrvder [EMAIL PROTECTED] wrote: [snip blah blah blah...] After all the kvetching and sensationalism that's characterized both this thread and the release of this errata, there's a few things I wanted to point out. Theo's already put out the timeline and circumstances around classification of reliability and later security fix. Core Security also included the timeline in their advisory. The first point to make is this: the fix was applied in a more-than-timely manner. The errata was merged into -stable and made available March 7. Core Security released their advisory March 13. That's very good lead time, and that means the patch was available darn near a week before the advisory came out. If people aren't checking the errata pages for a week at a time, there's a larger issue than a lack of email notification. The second point relates to the natural dissent that the first point invites; if the announcement doesn't go to the security announce list, how are people supposed to know that the errata is available? I want everyone trying to make that point to think of all the software vendors they deal with, including the commercial software vendors to whom you pay thousands (and depending on the size of your organization, millions) of dollars to per year. Can you say that you get SMTP notifications from all of them? The answer, if you're in any situation resembling what I've been in for the last decade, is no. The reality is, it's *not* an assumption that you'll get notifications from anyone in your happy little inbox. Most of my current vendors (lots of them, too) don't have any official vulnerability notification channel in place, and when we approach them about it, they point us to their web site support page where we can find updates as they are released. The landscape for this kind of thing is awful, and in fact OpenBSD is ahead of the curve here because they actually do admit and respond to vulnerabilities in an open manner. Closed source, commercial vendors hide it and sweep it under the rug. As has been pointed out, you will have better success tracking other sources such that you increase your chances of hearing about vulnerability information before it's too late. source-changes is a good option. Undeadly is nice. tech@ is a good one to lurk on. There's an IRC channel. And of course, there's the collection of Internet resources for vulnerability research information. If you're not tracking things like bugtraq, full-disclosure, Dshield, CERT lists, milw0rm, etc, etc, etc, then your problems (and your precious customers' problems) are much bigger than a IPv6 vulnerability in OpenBSD. You can bitch about the security announce mailing list, or you can put forth some effort to do something proactive yourself to get more benefit from the free software you use. Those of us that were patched before the advisory came out would probably say you're better off with the latter. DS
Re: Important OpenBSD errata
On 3/16/07, Karl O. Pinc [EMAIL PROTECTED] wrote: On 03/16/2007 02:51:48 AM, Kian Mohageri wrote: Yeah. Expectations aside, being condescending is never warranted. We've all spent more time on this than it's worth, but I would appreciate it if you'd point out any condescension in my initial posts so I can do better next time. Promise I won't waste your time by trying to justify my choice of words. I hate to keep this going, but it sounds like you genuinely want to know for future reference. So, from your initial post: I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement Martin's reply was much more condescending. I know it is very easy to misinterpret people online, which is what seems to have happened here. To me, both of your posts initially came across as kind of unappreciative, and I'd imagine at least a few developers probably feel that way too (but I can't speak for them). I'm not saying that you're unappreciative, just that it seemed that way. That is why when I write suggestions, I usually find something to thank the person for too, just so they don't feel under attack. Only hearing from people about things that are done _wrong_ really gets old. We all know that. Darren's latest reply summed up what I have to say so I'm gonna stop replying to this thread. I think everyone has made their points and we're all on the same page. -- Kian Mohageri
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 01:26:39PM +, Karl O. Pinc wrote: On 03/16/2007 03:54:16 AM, Karel Kulhavy wrote: On Tue, Mar 13, 2007 at 04:46:26PM -0600, Theo de Raadt wrote: This means everyone should have our latest patches installed. [...] *Solution/Vendor Information/Workaround* The OpenBSD team has released a security fix to correct the mbuf problem, it is available as a source code patch for OpenBSD 4.0 and 3.9 here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch The patch can also be applied to previous versions of OpenBSD. Is it possible to fix OpenBSD 4.0 system without compiling anything, by e. g. somehow rewriting the file that contains the kernel? I have never compiled OpenBSD, ports etc. and don't have time to study all the theory around OpenBSD - I am sure if I attempt to recompile my system, I could easily screw it up completely. It's actually really easy. Follow the first 2 steps in man release. Unfortunately these instructions fail with not being clear if I should use OPENBSD_4_0_BASE or OPENBSD_4_0 in step 1. It doesn't say if I should pick up the version I have currently installed (4_0_BASE in my case) or the version whose kernel I want co compile (4_0 in my case) Instead, isn't it possible to download the kernel somewhere from openbsd.org site, check the md5 and replace in bsd/ or wherever the kernel image is stored? I have an OpenBSD 4.0 system installed from the CD and I didn't upgrade it afterwards. CL You'll feel quite the studly computer guy. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On 16-Mar-07, at 3:51 PM, Karel Kulhavy wrote: On Fri, Mar 16, 2007 at 01:26:39PM +, Karl O. Pinc wrote: It's actually really easy. Follow the first 2 steps in man release. Unfortunately these instructions fail with not being clear if I should use OPENBSD_4_0_BASE or OPENBSD_4_0 in step 1. It doesn't say if I should pick up the version I have currently installed (4_0_BASE in my case) or the version whose kernel I want co compile (4_0 in my case) Do you know the difference between -release and -stable? Read http://www.openbsd.org/faq/faq5.html I can't imagine why you wouldn't want -stable but if you insist on only incorporating the last patch, don't bother with cvs. Unpack the source tarballs that are on your cd, apply the patch and go from there.
Re: Important OpenBSD errata
Thanks very much for taking the time to respond. On 03/16/2007 02:33:28 PM, Kian Mohageri wrote: I'm not saying that you're unappreciative, just that it seemed that way. That is why when I write suggestions, I usually find something to thank the person for too, just so they don't feel under attack. Only hearing from people about things that are done _wrong_ really gets old. We all know that. This is the point I should take away. I tried to praise OpenBSD but I should have thanked folks for the good patch before I started in the problem. Darren's latest reply summed up what I have to say so I'm gonna stop replying to this thread. I think everyone has made their points and we're all on the same page. I like his reply too. I did (just) write him back and say that what I think broke down was what OpenBSD usually excells at: the open admission and discussion of problems. That's what got me about the whole thing, somehow it was out of control from the get-go. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On 03/16/2007 02:51:35 PM, Karel Kulhavy wrote: On Fri, Mar 16, 2007 at 01:26:39PM +, Karl O. Pinc wrote: It's actually really easy. Follow the first 2 steps in man release. Unfortunately these instructions fail with not being clear if I should use OPENBSD_4_0_BASE or OPENBSD_4_0 in step 1. It doesn't say if I should pick up the version I have currently installed (4_0_BASE in my case) or the version whose kernel I want co compile (4_0 in my case) Somebody else already pointed out that you need to read the FAQ, particularly http://www.openbsd.org/faq/faq5.html Building the System from Source to understand everything. Your question should be answered there. Instead, isn't it possible to download the kernel somewhere from openbsd.org site, check the md5 and replace in bsd/ or wherever the kernel image is stored? Nope. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 10:20:00AM +, John Gould wrote: On Fri, 16 Mar 2007, Joachim Schipper wrote: On Fri, Mar 16, 2007 at 09:54:16AM +0100, Karel Kulhavy wrote: On Tue, Mar 13, 2007 at 04:46:26PM -0600, Theo de Raadt wrote: The OpenBSD team has released a security fix Is it possible to fix OpenBSD 4.0 system without compiling anything Compiling -stable is not that difficult, really. This guy doesn't want to do anything, read docs, compile a kernel, compile the system etc. Perhaps he would be better off running something else? No clue, but *I* am certainly better off if he runs a secure OS. I get quite enough spam, thankyouverymuch. Besides, who am I to decide who gets to run OpenBSD? If someone is annoying enough, I'll just stop reading his [1] messages, but that's as far as I'm willing to go. Joachim [1] Or possibly her, but that would be a first.
Re: Important OpenBSD errata
On Fri, Mar 16, 2007 at 08:51:35PM +0100, Karel Kulhavy wrote: [...] It's actually really easy. Follow the first 2 steps in man release. Unfortunately these instructions fail with not being clear if I should use OPENBSD_4_0_BASE or OPENBSD_4_0 in step 1. It doesn't say if I should pick up the version I have currently installed (4_0_BASE in my case) or the version whose kernel I want co compile (4_0 in my case) use OPENBSD_4_0. Instead, isn't it possible to download the kernel somewhere from openbsd.org site, check the md5 and replace in bsd/ or wherever the kernel image is stored? no. chris -- Christopher Linn celinn at mtu.edu | By no means shall either the CEC System Administrator II | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein.
Re: Important OpenBSD errata
Yet again, we see that although Theo is willing to beg, wheedle and threaten his user community into sending him money when he needs it, he holds them in too much contempt to respond to simple, uncontroversial and valid criticism. On 3/16/07, Theo de Raadt [EMAIL PROTECTED] wrote: Let's see... the fsck_ffs fix pedro commited a few hours ago. That fixes a serious problem where fsck fails to spot filesystem corruption. Should we spend time fully assessing how rare or common this situation is, and then errata it up the stream as fast as possible, maybe even consider if there are security risks from such filesystem corruption? Come on. What a bullshit argument. When you realised the problem was serious enough to update the homepage to say only two remote holes... you should also have sent out an email to security-announce. You had time to send an announcement to misc - not sending one to the list your project specifically created for just this type of situation means, quite simply, that you fucked up. You fucked up, Theo. Do it right next time, or de-commission the security-announce mailing list for once and for all. The fact that you can't get a simple thing like this right really makes me wonder about the wisdom of relying on OpenBSD for real-world use... The minute someone moans for a posting to the security-announce list they have removed any desire from me to do so. And the same comes for any other errata. What a completely fucking stupid, border-line insane thing to say. Let's get this straight - your project sets up a security announcement list specifically for announcements on vulnerabilities and patches. You then proceed to ignore it completely for one of the most serious OpenBSD security problems in the last decade. But no-one is allowed to actually say anything about this because if they do you'll not use it JUST TO SPITE US. You, sir, are a childish, immature cock. If people on our mailing list are going to be such jerks about patches which we do make available, then maybe we'll spend a whole lot less effort making errata and updating -stable. The whole concept of being subserviant towards a community of jerks is not realistitic. You know, Theo, it makes me fucking sick to see you treat the community of people who support your project and pay your wage like this. It makes me even sicker to see the crowds of shrill, stupid fanboys on this list who are so pathetically eager to agree with you that that they support even your most unreasonable, childish and frankly stupid statements. You are a goddam hypocrite - either you do OpenBSD purely for yourself and the other developers (in which case I will stop financially supporting the project, and everyone else should too) or you recognise that what really keeps OpenBSD going is the group of people that advocate OpenBSD, use it in the real world, and buy your goddamn CDs and t-shirts to keep you going... The idiots on misc that support you when you treat your users this badly aren't the real friends of OpenBSD.
Re: Important OpenBSD errata
On Mar 16, 2007, at 5:43 PM, fonkprop wrote: Yet again, we see that although Theo is willing to beg, wheedle and threaten his user community into sending him money when he needs it, he holds them in too much contempt to respond to simple, uncontroversial and valid criticism. No. This is pure bullshit. There was a hole. The patch and the errata had been up for -ages-. Anybody who really cares and really pays attention had patched and been happy for nearly a week. The logic behind the misc posting is so very obvious that to bitch about it is just finding something to complain about. I, of course, don't know the exact numbers but it seems pretty clear that misc has a much larger subscriber base than security-announce. Given that it just makes sense to post this to the list where the most people are going to see it. As for the rest of your rant. It's clear you've never been a working admin or coder. Try it for a while and come back when you've seen the elephant. snip
Re: Important OpenBSD errata
On 16-Mar-07, at 9:57 PM, Ray Percival wrote: On Mar 16, 2007, at 5:43 PM, fonkprop wrote: Yet again, we see that although Theo is willing to beg, wheedle and threaten his user community into sending him money when he needs it, he holds them in too much contempt to respond to simple, uncontroversial and valid criticism. No. This is pure bullshit. There was a hole. The patch and the errata had been up for -ages-. Anybody who really cares and really pays attention had patched and been happy for nearly a week. The logic behind the misc posting is so very obvious that to bitch about it is just finding something to complain about. I, of course, don't know the exact numbers but it seems pretty clear that misc has a much larger subscriber base than security-announce. Given that it just makes sense to post this to the list where the most people are going to see it. Actually, I think you're wrong. Majordomo at lists.openbsd.org reports 11323 subscribers to security-announce and only 3866 for misc. It really surprised me when I saw it, I thought misc would have had at least more than ~4000. Whether they're correct or not though, most people probably think security-announce is the important one to watch.
Re: Important OpenBSD errata
Is it really that hard to cc to security-anoounce? Jeez... 2007/3/17, Ray Percival [EMAIL PROTECTED]: On Mar 16, 2007, at 5:43 PM, fonkprop wrote: Yet again, we see that although Theo is willing to beg, wheedle and threaten his user community into sending him money when he needs it, he holds them in too much contempt to respond to simple, uncontroversial and valid criticism. No. This is pure bullshit. There was a hole. The patch and the errata had been up for -ages-. Anybody who really cares and really pays attention had patched and been happy for nearly a week. The logic behind the misc posting is so very obvious that to bitch about it is just finding something to complain about. I, of course, don't know the exact numbers but it seems pretty clear that misc has a much larger subscriber base than security-announce. Given that it just makes sense to post this to the list where the most people are going to see it. As for the rest of your rant. It's clear you've never been a working admin or coder. Try it for a while and come back when you've seen the elephant. snip -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Important OpenBSD errata
On 03/14/2007 09:13:19 AM, Martin Schrvder wrote: 2007/3/13, Theo de Raadt [EMAIL PROTECTED]: This means everyone should have our latest patches installed. Just a reminder: security-announce exists for messages like this. Use it or delete it. While the bug is bad, the handling of it is even worse. I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement, some low-traffic announce list that goes right into my inbox is where this stuff belongs. I rely on having a clear channel for security related problems. OpenBSD's excellent reputation is what allows me to sell it to my clients, which allows me to work with OpenBSD. I've always used the proactive, transparent, and forthright tone of OpenBSD related communication as a selling point. This is the first time I've felt let down and I hope it's the last. I realize we get what we get from the OpenBSD project, and I've certainly gotten a lot more than I've put into it. The response and and announcement latency has always been great, with a low signal to noise ratio. My high expectations have always been met and that's what makes this communication breakdown hurt. It's not the magnitude of the security vulnerability that's the problem. Problems communicating patch availability lead to security problems as severe as unpatched vulnerabilities. Therefore communication problems deserve the degree of acknowledgment and resolution accorded to bugs in the code. Regards, Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: snip I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement, some low-traffic announce list that goes right into my inbox is where this stuff belongs. I rely on having a clear channel for security related problems. You -do- know that this has been on the errata page since Friday, right? Because as worried as you are and as important as this is to you you take the responsibility to check said page every day, of course. Oh wait. No you don't. Come on this is open source it should be a maker's culture. You know where these things are as soon as they hit the tree and it takes all of two whole minutes to glance at it once or twice a day. Step up to the plate and do for yourself. snip Problems communicating patch availability lead to security problems as severe as unpatched vulnerabilities. Therefore communication problems deserve the degree of acknowledgment and resolution accorded to bugs in the code. The only communication problem here is that you don't look at the information that the project puts out there for you. You are correct. This needs to be fixed. Do so. Regards, Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein They do not preach that their God will rouse them a little before the nuts work loose.
Re: Important OpenBSD errata
On 15-Mar-07, at 11:48 PM, Ray Percival wrote: On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: snip I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement, some low-traffic announce list that goes right into my inbox is where this stuff belongs. I rely on having a clear channel for security related problems. You -do- know that this has been on the errata page since Friday, right? Because as worried as you are and as important as this is to you you take the responsibility to check said page every day, of course. Oh wait. No you don't. Come on this is open source it should be a maker's culture. You know where these things are as soon as they hit the tree and it takes all of two whole minutes to glance at it once or twice a day. Step up to the plate and do for yourself. That's what I was going to say. If you did things properly, you would have had this patch applied before you knew that it was a remote hole. I was confused when I read that the patch had been published on the 7th because I didn't think I'd seen it. Then I realized I was already running it. That's called a -6 day bug fix ;) 'Course it seems odd that this isn't on security-announce@ but I don't remember seeing a guarantee of that when I signed the contract... oh wait...
Re: Important OpenBSD errata
Karl O. Pinc wrote: On 03/14/2007 09:13:19 AM, Martin Schrvder wrote: 2007/3/13, Theo de Raadt [EMAIL PROTECTED]: This means everyone should have our latest patches installed. Just a reminder: security-announce exists for messages like this. Use it or delete it. While the bug is bad, the handling of it is even worse. I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement, some low-traffic announce list that goes right into my inbox is where this stuff belongs. I rely on having a clear channel for security related problems. OpenBSD's excellent reputation is what allows me to sell it to my clients, which allows me to work with OpenBSD. I've always used the proactive, transparent, and forthright tone of OpenBSD related communication as a selling point. This is the first time I've felt let down and I hope it's the last. I realize we get what we get from the OpenBSD project, and I've certainly gotten a lot more than I've put into it. The response and and announcement latency has always been great, with a low signal to noise ratio. My high expectations have always been met and that's what makes this communication breakdown hurt. It's not the magnitude of the security vulnerability that's the problem. Problems communicating patch availability lead to security problems as severe as unpatched vulnerabilities. Therefore communication problems deserve the degree of acknowledgment and resolution accorded to bugs in the code. Regards, Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein 1) JUMP! 2) HOW HIGH? Do you REALLY want to play that game? If the security is real and is actually proactive Seems like you shouldn't have to play that game. Is the bug actually serious in practice? Are you actually safer with the bug fixed? My gut feel is that the next unsung fix will actually make more difference to how secure the resulting system is. This is from a kibitzer, BUT I can guarantee that the security of OpenBSD is NOT due to panic attacks of trying to keep up with the latest security breaches.
Re: Important OpenBSD errata
On 03/15/2007 10:24:31 PM, Tony Abernethy wrote: Karl O. Pinc wrote: On 03/14/2007 09:13:19 AM, Martin Schrvder wrote: 2007/3/13, Theo de Raadt [EMAIL PROTECTED]: This means everyone should have our latest patches installed. Just a reminder: security-announce exists for messages like this. Use it or delete it. I rely on having a clear channel for security related problems. My high expectations have always been met and that's what makes this communication breakdown hurt. It's not the magnitude of the security vulnerability that's the problem. Problems communicating patch availability lead to security problems as severe as unpatched vulnerabilities. 1) JUMP! 2) HOW HIGH? If the security is real and is actually proactive Seems like you shouldn't have to play that game. All the security in the world does me no good if it's not installed on my systems. Is the bug actually serious in practice? No. Are you actually safer with the bug fixed? Yes. If I wasn't then there wouldn't be an errata would there? My gut feel is that the next unsung fix will actually make more difference to how secure the resulting system is. I track -STABLE, because I want relyability. I won't get the next unsung fix until an errata is announced that might affect me. I've better things to do than install new builds all the time. This is from a kibitzer, BUT I can guarantee that the security of OpenBSD is NOT due to panic attacks of trying to keep up with the latest security breaches. No, but if security errata announcements arn't delivered in a fashion that delivers them to a human then they do no good. I should not be expected to peruse the misc@openbsd.org list to find errata announcements. OpenBSD says announcements will be made on security-announce when patches become available. This did not happen. Ergo, something is broken. I can't fix it. It may not be fixable, but if it is fixable then it should be fixed. We should not all just pretend it didn't happen. If there is something that can be fixed I'd like to hear about it when it gets fixed. Hence my post. Further, it's important to let the OpenBSD project know how important the brokenness is. (Recall, I'm not talking about the security vulnerability, I'm talking about the communication breakdown.) If my clients hear about a OpenBSD vulnerability from the media, before I hear about it from OpenBSD, that's bad. I want them to hear about problems with their systems, however slight, from me (or directly from OpenBSD of course). I don't want clients to hear about problems on their systems from some media panic attack article. OpenBSD has always solicited feedback regards how important particular bugs are. Now you've the relevant information you can decide how high to jump. Regards, Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein I was trying to decide if I should reply, and if so, how. I looked for your name on the donations list. I don't see it. But your quote makes it clear. I don't know what to say. I am trying to get past the first impression of you being a whining liar who quotes some fiction author. Give it up. He uses our software, and he's not worth the discussion.
Re: Important OpenBSD errata
On 03/15/2007 10:48:49 PM, Ray Percival wrote: On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: I rely on having a clear channel for security related problems. The only communication problem here is that you don't look at the information that the project puts out there for you. The project says it will announce security errata on the security-announce list. I _am_ assuming this will be done in a timely fashion... This does not seem like an unreasonable assumption. If security-announce is not a place for timely security announcments then change the description, or get rid of it. Which brings the discussion back to where it started, and where it belongs. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On 03/15/2007 11:04:49 PM, Jeremy Huiskamp wrote: That's what I was going to say. If you did things properly, you would have had this patch applied before you knew that it was a remote hole. You have a valid point: any bug is a security problem. However, the topic is not my management practices and the tradeoffs involved therein. The topic is the efficacy of the security-announce list. If I knew security-announce was broken I could write a screen-scraper to check the errata page for me. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On 3/15/07, Ray Percival [EMAIL PROTECTED] wrote: You -do- know that this has been on the errata page since Friday, right? Because as worried as you are and as important as this is to you you take the responsibility to check said page every day, of course. Oh wait. No you don't. Or use the magical, asynchronous, server-push, web-4.0pre1-alpha technology called the source-changes mailing list -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Important OpenBSD errata
You have a valid point: any bug is a security problem. However, the topic is not my management practices and the tradeoffs involved therein. The topic is the efficacy of the security-announce list. If I knew security-announce was broken I could write a screen-scraper to check the errata page for me. The simple assumption that has never failed me is everything is broken, don't trust it. Cheers, A
Re: Important OpenBSD errata
On Mar 16, 2007, at 12:36 AM, Karl O. Pinc wrote: You have a valid point: any bug is a security problem. However, the topic is not my management practices and the tradeoffs involved therein. The topic is the efficacy of the security-announce list. If I knew security-announce was broken I could write a screen-scraper to check the errata page for me. feed://flirble.disruptiveproactivity.com/rss/openbsd_stable_src.rss feed://flirble.disruptiveproactivity.com/rss/openbsd_stable_ports.rss feed://ports.openbsd.nu/rss/all -- bda
Re: Important OpenBSD errata
On 3/15/07, Karl O. Pinc [EMAIL PROTECTED] wrote: On 03/15/2007 10:48:49 PM, Ray Percival wrote: On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: I rely on having a clear channel for security related problems. The only communication problem here is that you don't look at the information that the project puts out there for you. The project says it will announce security errata on the security-announce list. I _am_ assuming this will be done in a timely fashion... This does not seem like an unreasonable assumption. I bet you'd also like somebody other than you to patch your systems in a timely fashion. If security-announce is not a place for timely security announcments then change the description, or get rid of it. Which brings the discussion back to where it started, and where it belongs. Security isn't about receiving notifications to your Inbox in a timely fashion. It is about being proactive yourself. You should be the one taking measures to secure your systems, and you should be the one ACTIVELY LOOKING for problems. Watching mailing lists isn't enough, and this was announced very early on the ERRATA page. Do something for yourself. -- Kian Mohageri
Re: Important OpenBSD errata
On 03/15/2007 11:29:22 PM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. How much do I need to donate to keep from having to waste my time in unproductive threads like this? Seriously. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. I think you bought one CD. Now you spout and whine. Is that a Robert Heinlein philosophy? How much do I need to donate to keep from having to waste my time in unproductive threads like this? Is that a Robert Heinlein philosophy too? +1.7733632105
Re: Important OpenBSD errata
On Mar 16, 2007, at 1:09 AM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. I think you bought one CD. Now you spout and whine. Is that a Robert Heinlein philosophy? How much do I need to donate to keep from having to waste my time in unproductive threads like this? Is that a Robert Heinlein philosophy too? I HAVE donated both hardware and cash over the last few years, as well as buying CDs and shirts; does that mean I get to have an opinion? 1) It is reasonable to assume that if a security-announce@ list exists, it will be utilized consistently. If it is not, the documentation should be updated to reflect that. 2) There are numerous other ways to track changes to -STABLE. Using one of them is also reasonable; if they were referenced somewhere in the documentation that would certainly be helpful (but would generate management overhead). Heinlein also wrote TANSTAAFL. -- bda
Re: Important OpenBSD errata
Karl O. Pinc wrote: On 03/15/2007 11:29:22 PM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. And what are the developers doing with their time? They give it to you and you have the got to complain on top of it! So, they should waist their time to make you happy because you are to lazy to check for yourself! How much do I need to donate to keep from having to waste my time in unproductive threads like this? If you even have to ask this question, I fell sorry for you! Seriously. Seriously! Daniel
Re: Important OpenBSD errata
On 03/16/2007 12:09:46 AM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. I think you bought one CD. I think I've bought 4 over the last 5 years. I wouldn't swear to it. I spent at least one release learning to do it myself sans cd. And 1 t-shirt for sure. Believe me or not. At least one cd was bought under a different name and I don't have the receipt any more. Now you spout and whine. Is that a Robert Heinlein philosophy? I pointed out what I thought was a problem, and I tried to be respectful when I did so. One security errata did not get announced on the security-announce mailing list. Nobody wants to acknowledge it as a problem. Fine. Is it a big problem? Not really. But people seem to want to give me shit for mentioning it. That's fine too but I've a weakness for standing up to agression. I apologize if the repetition to which that has led has made this into a bigger deal than it is. How much do I need to donate to keep from having to waste my time in unproductive threads like this? Is that a Robert Heinlein philosophy too? I thought you were offering. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
Karl O. Pinc wrote: On 03/15/2007 11:29:22 PM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. like bitching about stuff that you, as a security professional, should already know? how notably productive! if you can't look smart because you weren't looking the right spot for this information, then perhaps your customers really should reconsider how smart they thought you were. offhand i remember having had a favorable impression of your skills from your previous posts and this hissy fit doesn't make you look any smarter. if i hired you as a consultant, looked you up on google and saw this little thread, i'd really think twice about listening to you next time. unless you're posting under a pseudonym you may have turned stubbing your toe into a full blown shot yourself in the foot. How much do I need to donate to keep from having to waste my time in unproductive threads like this? how much do i need to donate to stop other whiners from starting threads like this? if you're a security consultant in a 1st world country whose job depends on openbsd and you haven't donated any significant amount, you're one greedy SOB. Seriously. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
On 03/15/2007 11:55:44 PM, Kian Mohageri wrote: Security isn't about receiving notifications to your Inbox in a timely fashion. It is about being proactive yourself. You should be the one taking measures to secure your systems, and you should be the one ACTIVELY LOOKING for problems. Watching mailing lists isn't enough, and this was announced very early on the ERRATA page. Perhaps my problem is that until this thread it wasn't clear to me that the errata page was inherently more reliable than the mailing list. From a technical perspective I see no reason why either can't be equally reliable. How am I to know? Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
* Karl O. Pinc [EMAIL PROTECTED] [2007-03-16 04:23:00]: No, but if security errata announcements arn't delivered in a fashion that delivers them to a human then they do no good. I should not be expected to peruse the misc@openbsd.org list to find errata announcements. OpenBSD says announcements will be made on security-announce when patches become available. This did not happen. Ergo, something is broken. I can't fix it. It may not be fixable, but if it is fixable then it should be fixed. We should not all just pretend it didn't happen. If there is something that can be fixed I'd like to hear about it when it gets fixed. Hence my post. Now, I've harrassed this forum with my obsessive-compulsive rants before, so I can guarantee you you're going to get nothing. OpenBSD actually does not owe you anything. If you really want to stay ontop of OpenBSD going-ons, I suggest you subscribe to [EMAIL PROTECTED] Public things hit that first. Yes, it does seem a bit silly that security-announce@ is a bit flakey sometimes and this has been ranted about before. Nothing has changed it's usage. But this problem showed up on errata.html, misc@, undeadly.org, osnews.com, some other blogs, news sites, and finally slashdot. You're bound to read one of those (however I wouldn't count on slashdot since it's just inflamatory bullshit read by a bunch of microsofters who wish they could even install linucks; whether this is due to their stupidity or the poor quality of linux is anyone's guess). I digress. If you _really_ want to stay ontop of things, you have to take action yourself beyond the cron job that gets your mail. Sorry, that's just the way it is, so I suggest you adapt to it. -- Travers Buda
Re: Important OpenBSD errata
On 03/16/2007 12:40:57 AM, Daniel Ouellet wrote: And what are the developers doing with their time? They give it to you and you have the got to complain on top of it! So next time I shouldn't post when I see a problem? That'll help, not. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
I apologise to the list for responding to the flames. I made my point and went beyond into unproductiveness. I'm sorry and I'll stop now. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Important OpenBSD errata
http://www.openbsd.org/mail.html --- *security-announce* Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.---Martin and Karl have valid points in their initial emails. /Tony S -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: Important OpenBSD errata
On Fri, 16 Mar 2007 06:03:49 + tony sarendal [EMAIL PROTECTED] wrote: http://www.openbsd.org/mail.html --- *security-announce* Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.---Martin and Karl have valid points in their initial emails. Only it doesn't actually say how timely it is supposed to be or even that all advisories and patches will have a corresponding email. Sure, you could say it's implied but it's sure not spelled out and the OpenBSD project isn't exactly overflowing with personell. But maybe Karl and Martin are volunteering to maintain security-announce. -- Lars Hansson [EMAIL PROTECTED]
Re: Important OpenBSD errata
* tony sarendal [EMAIL PROTECTED] [2007-03-16 06:03:49]: http://www.openbsd.org/mail.html --- *security-announce* Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.---Martin and Karl have valid points in their initial emails. /Tony S It's important to put yourself in Theo et al.'s shoes. Here's a group of people who write code for free, and then give it away for free. There's no serious cash inflow to enable them to do everything they want. The code can be used by anybody for whatever purpose, like: making money! And does that money ever find it's way back to OpenBSD? I'm talking about big corporations here. OpenSSH is in _everything_. It's only natural that OpenBSD should feel a sense of ingratitude... because there is ingratitude. To add insult to injury, people ask for more than what is freely offered. Example: this thread. If you want to see X feature, hire one of the developers. If you want to keep getting releases, pay Theo's hydroponics.. err electric bill. etc etc -- Travers Buda
Re: Important OpenBSD errata
2007/3/13, Theo de Raadt [EMAIL PROTECTED]: This means everyone should have our latest patches installed. Uh. :-( Just a reminder: security-announce exists for messages like this. Use it or delete it. While the bug is bad, the handling of it is even worse. Best Martin
Re: Important OpenBSD errata
What about: Release Mode: FORCED RELEASE? This is about the exploit, right? And not the advisory. Theo de Raadt wrote: This means everyone should have our latest patches installed. Date: Tue, 13 Mar 2007 19:40:15 -0300 From: CORE Security Technologies Advisories [EMAIL PROTECTED] Organization: CORE Security Technologies MIME-Version: 1.0 To: Bugtraq bugtraq@securityfocus.com, Vulnwatch [EMAIL PROTECTED] Subject: CORE-2007-0219: OpenBSD's IPv6 mbufs remote kernel buffer overflow Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Re: Important OpenBSD errata
What about: Release Mode: FORCED RELEASE? This is about the exploit, right? And not the advisory. That means a patch has already been made available, so the advisory should match it, we release right away.
