lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4424AB51.9060800@linuxbox.org>
Date: Sat, 25 Mar 2006 04:30:41 +0200
From: Gadi Evron <ge@...uxbox.org>
To: Theo de Raadt <deraadt@....openbsd.org>
Cc: Eric Allman <eric+bugtraq@...philic.com>, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Re: Re: SendGate: Sendmail Multiple Vulnerabilities
	(Race Condition DoS, Memory Jumps, Integer Overflow)


Theo de Raadt wrote:
>>After or before it hit the news? You may be able to alert vendors, but
>>the problem with critical infrastructure is that is widely deployed around
>>the world. Releasing the way you did is irresponsible.
> 
> 
> Taking our freely available software and creating a mono-culture is
> something that the administrators did.
> 
> We don't get paid (or we don't get paid enough).

I see, so why don't you go work for commercial vendors? With that kind 
of security attitude I wonder why anybody believes OpenBSD is the most 
secure OS around.

Most arguments against open source in big organizations are that they 
have no backing, serious tech support, etc. That brought about a myriad 
of third-party companies which provide with this service.

I often find open source to be a lot more responsive than many 
commercial companies, but it's still done based on good will and free 
time. That doesn't scale well in the board room.

You better quit now as you are making a horrible attempt at protecting 
open source, which I strongly believe in.

If a commercial giant ***** up, or an open source product does, makes no 
difference to me.
When people say: you can't comment unless you go and do on your own, 
move along. People will move along.

Sometimes I will ignore input from non-contributors,. but ignoring 
input, especially of the critical type, from your users makes you not 
suitable for these users or to grow and scale as something for the 
infrastructure.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ