[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4424B5F8.10600@linuxbox.org>
Date: Sat, 25 Mar 2006 05:16:08 +0200
From: Gadi Evron <ge@...uxbox.org>
To: Theo de Raadt <deraadt@....openbsd.org>
Cc: Martin Schulze <joey@...odrom.org>, bugtraq@...urityfocus.com
Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,
Memory Jumps, Integer Overflow)
Theo de Raadt wrote:
>>Sendmail has been an important part of the Internet infrastructure and
>>has gained a lot of honour and respect. Many people use this piece of
>>software and a lot of distributors/vendors are proliferating this
>>software. They do deserve better, as do the users who decide to trust
>>this vendor.
>
>
> Paul Vixie did not decide that BIND should become a critical part of
> the internet, or that it became a virtual monoculture. He made it
> free. The community decided to make it Internet infrastructure.
No, he said: "I am up to the challange and I will do my best." If he
couldn't he would have been responsible enough to say "I can't."
If he stayed anyway and would have not been up to task (which he was),
he would have been seriously attacked as well and maybe even it would
have been taken from him.
At this point I should probably not Paul is critical to DNS and a big
part of bind, but he would be the first to say bind and DNS are not
*his*. I think it's great he's around.
> Eric Allman did not decide that BIND should become a critical part of
> the internet, or that it became a virtual monoculture. He made it
> free. The community decided to make it Internet infrastructure.
>
> I did not decide that OpenSSH should become a critical part of the
> internet, or that it should become a virtual monopoly. We made it
> free. Again, the community decided to make it Internet infrastructure.
I personally appreciate OpenSSH, yet you keep insisting on saying on
this thread that because it is free you shouldn't be held responsible,
be expected to do anything or even worse, be expected to work on this
unless you get paid.
Maybe you should change your moto about being the most secure OS around?
> Now you want to tell us that because the Internet community made
> decisions like these, that we should be held responsible. That we
> have to follow YOUR procedures. That we have to answer to YOU.
No one expects you to follow our procedures, heck, we are not the guys
who re-coined "responsiuble disclosure" (which was a cool invention at
first) as "work with us in our way or you are not responsible".
There are *no* procedures, you are held to your conscience. That said, I
am sure you know how to be responsible.
On critical Internet infrastructure, which is global, there should be.
No one country can make them.
> What if we ignore your procedures? What if we say no? What will you
> do then? Continue to verbally attack us? To what end? To show that
> you are thankless dogs?
>
> Does it make you feel like more of a man when you publically attack
> people who wrote good things that you depend on, which you never
> gave anything for?
>
> Isn't it you who every day make the same decision to run our software,
> give nothing back, and then believe that you have anything at all to
> stand on?
>
> Open Source developers get attacked when they don't follow YOUR
> procedudes, but SSH.COM can skip fixing security problems for years,
> and you will be silent.
>
> You (and others like you) should be ashamed. I am done with this
> conversation.
>
> note: I only wrote parts of OpenSSH; it was based on older free code
> by Tatu Ylonen before he chose to go commercial, and initially made
> free primarily by Niels Provos, Markus Friedl, myself, and a team of
> other people. Now it is maintained by about 6 developers.
>
Powered by blists - more mailing lists