If my opinions were missunderstod, I'll apologize for that.
I am currently a 'eager and happy user' of OpenBSD.
Used it for a couple of years, and I must say that
it has been among the better operatingsystems.
At the side I use FreeBSD, for servers aswell as desktops.
The reason that I reacted was that normally, fixes for
'more trivial' errors are corrected -by day-.
The coders of OpenBSD are among the better, and up to now
have delivered patches/fixes -fast-, aswell as informing users (see you/me) about it.
(If you in any sence of way feel that this discussion is taking a 'useless turn',
just say so. In the deep end, we're both users and enjoying every minute of it. :) )
Now, going back to your answer here.
The reason I reacted the way I did was not because I think "microsoft is
better". I have a very neutral opinion for OS', and some users may
prefer the ones easier to use.
The only reason is that a fix wasn't posted on errata. No information
reguarding such a -important- event.
How about all the users that use OpenBSD on important servers?
No information on the subject was posted before the exploit, and
that's what scares me.
> Do you do this every time an exploit comes out for any Linux vendor, or
> Microsoft? You must have a sweaty forehead.
>
<ironi quotation mark, end>
And I have -never- claimed that this is bad contra other systems.
But this is not a "match OS issue", please stick to the real issue.
> I'd like to know what method of notification Georgi used. Did he file a
> confidential bug report, or did he just send an email to Theo? He could
> have also sent an email to one of the mail lists, stating that he had
> discovered a problem and could someone "in the know" contact him.
>
Ofcourse, this could be the situation. If it's "that explainable", I
recall all my remarks.
> What's up with people acting like the sky is falling when any type of
> exploit is released for OpenBSD? I'd be interested to see a graph of
> released exploits for Operating Systems. Where do you think OpenBSD
> would be on that chart in relation to others?
>
The difference between "gettings bugs" and "telling people about it".
It's -not- good policy to let the public know about the bugs / exploits
before it has been posted / fixed by the vendor.
> The reality is that the OpenBSD development team is small, and busy. And
> yes this is a problem, and yes they were notified, and yes no officially
> responded to this BUGTRAQ post and they did not have a patch ready to
> go. Most of these developers are people just like you and me who have
> jobs and work on OpenBSD because they enjoy it, and like the ideals
> behind OpenBSD. No one is getting rich on doing this, believe me.
>
I don't doubt that in a second, -but-.
This is a -critical- bug. It gives -root comprimise-.
Think of the damage it causes if no one gets to know about the fixes in
time? We're talking -heavy- financial losses.
> If what you desire is someone to be there for you night and day, to
> have patch right away, you should probably be running another OS. I'm
> not just saying that to be rude or refute the problem with a "go away"
> attitude. I'm serious.
>
Night/day, no. But what I expect, aswell as in any other -good coding environment-,
is information about -critical- issues as this.
If no one gives the information in time, what's the point of even reading
the news/maillist/webpages?
> In conclusion, OpenBSD never claimed that they were never going to be
> vulnerable to security issues, and they promised that they would be able
> to fix everything in a timely manner. But when I look at the
> alternatives, for some reason I still prefer it. Go figure...
>
Partially agree, but also a "big issue here", if no one is there to
"complain" or "say that things weren't handled good", then who
will take their time to fix it ?
"Why fix something that isn't broke".
People -need- to get things like this pointed out, people NEED to
see that security is a growing issue, and at the least, people
NEED to: INFORM THE USERS. (excuse the caps.)
> btw.. if you made it through my rant here is your reward:
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_exec.c
>
Revision 1.49 / (download) - annotate - [select for diffs] , Fri Jun 15 11:10:18 2001
UTC (6 hours, 38 minutes ago) by art
Yes, and do you it's coincidence that it's only 6 hours old?
No, here proving my point earlier mentioned.
Now that the people have been informed (not in the best way, but still), a fix
has been made. But. 6 days has passed, and no one exterior from the OpenBSD team
has been informed. That's -not good-. (Which is the -only- point i'm trying to make
here. :-) )
In the end, I would like to thank the developers of OpenBSD.
The operatingsystem is really good, and I hope to see more
of it. Just to point out that I still prefer OpenBSD as a
"more secure alternative".
Your annoyance,
Andreas Haugsnes
