Upcoming OpenSSH vulnerability (fwd)

Net Llama! netllama
Mon May 17 11:33:57 PDT 2004 

On Wed, 26 Jun 2002, Philip J. Koenig wrote:
> On 25 Jun 2002, at 16:38, Net Llama! boldly uttered:
>
> > On Tue, 25 Jun 2002, Philip J. Koenig wrote:
> >
> > > There has been a heated discussion on this over in the FreeBSD
> > > security list, suffice to say that Theo's obnoxious attitude doesn't
> > > help matters.  Nonetheless this is important info:
> >
> > The way i see it, if you write a heaping hunk of code that thousands, if
> > not millions of people use on a daily basis, you can be as obnoxious as
> > you like.
>
>
> I have an extremely different view of life: as far as I'm concerned,
> there is no excuse, no time, nowhere for *anyone* to be an obnoxious
> S.O.B., and I don't care if you're the president, the pope, or god.
> (assuming you believe in the latter)
>
> DeRaadt sat on the FreeBSD security list, and blustered, and cussed,
> and berated people for asking questions, basically anyone who didn't
> accept his dictum as gospel.
>
> After all of these predictions of doom-and-gloom coming from him, and
> after listening to him pull a Microsoft - not divulging any details
> on this vulnerability (contrary to the guiding philosophy in the
> majority of the open-source security community), spreading FUD,
> scaring people into thinking they were going to get rooted through
> this thing unless they upgraded to this new and relatively un-tested
> functionality (privilege separation)... it is now coming out (no
> thanks to DeRaadt) that the version that most people are currently
> running in FreeBSD is NOT VULNERABLE.
>
> Just like some people wondered when his blustering first started, it
> appears possible that some of this may just have been a good excuse
> to force everyone to upgrade.
>
> Most FreeBSD users are a little different than typical Linux users -
> they don't like to be on the bleeding edge just to be on the bleeding
> edge - they want to make sure changes are well-tested and relatively
> troublefree.  Such FUD from vendors does not play well in that
> community.

I agree with 100%, except that you're neglecting one simple fact.  openssh
is not a vendor.  The developers of openssh aren't getting paid a single
penny for what they do.  Thus, they aren't bound to the same
vendor/customer relationship that we expect from places such as Sun,
Oracle or even M$.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lonni J Friedman				netllama at linux-sxs.org
Linux Step-by-step & TyGeMo		     http://netllama.ipfox.com

More information about the Linux-users mailing list