On Wed, Aug 10, 2016 at 09:50:37AM +0100, Big Lebowski wrote: > On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan <kit...@kitchetech.com> > wrote: > > > You mean operating system as distribution is a Linux term. There's not much > > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes > > vulnerabilities and has a an excellent ASLR system compared to the proposed > > one for FreeBSD. > > > > And what are your sources on which you're formulating this statement? What > is the HBSD authors security, or even general coding, track record? How > well are they known for their code, whitepapers, implementations? I'd say, > not at all. You can have the example of their 'ASLR' code quality in the > FreeBSD reviews system, where known and respected coders point out very > basic and critical code mistakes, where well known and respected system > designers point out flaws in their lack of design, so on and so forth. The > only thing that's excellent about them is how they spread this opinion > about their code to other people, including you ;) > > I'd much rather take my bet with kib's implementation knowing who he is and > how long and how well he does what he does (that is, quality code for > FreeBSD) than untested, un-designed, self-procclaimed code from relatively > young, inexperienced and unknown person, that's not willing to take advices > on fixing their code, when given so. > > With all due respect :)
Hey there, ASLR shouldn't be part of the discussion revolving the freebsd-update, portsnap, libarchive, and bspatch vulnerabilities. ASLR won't even help with these vulnerabilities in particular as they are logic vulnerabilities. ASLR helps make more difficult the successful exploitation of buffer overflows, format string vulnerabilities, etc. In HardenedBSD, we've fixed the two libarchive vulnerabilities that FreeBSD is vulnerable to. But the fixes are only band-aids until FreeBSD publishes their fixes, which they are planning on to do before 11.0-RELEASE goes out the door. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature