lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <F3F61FC8-B83A-44B1-8BFB-CD7859E52A11@madscience.nl>
Date: Sat, 25 Mar 2006 09:12:19 +0100
From: Pim van Riezen <pi@...science.nl>
To: Theo de Raadt <deraadt@....openbsd.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)



On Mar 24, 2006, at 11:17 PM, Theo de Raadt wrote:

> I did not decide that OpenSSH should become a critical part of the
> internet, or that it should become a virtual monopoly.  We made it
> free.  Again, the community decided to make it Internet  
> infrastructure.
>
> Now you want to tell us that because the Internet community made
> decisions like these, that we should be held responsible.  That we
> have to follow YOUR procedures.  That we have to answer to YOU.
>
> What if we ignore your procedures?  What if we say no?  What will you
> do then?  Continue to verbally attack us?  To what end?  To show that
> you are thankless dogs?

Mr. De Raadt,

Perhaps you had no intention for your software to have such an  
influence over the internet. You did not create it in a vacuum  
either, on dangerous ground as I may be in second guessing people's  
motivations, I cannot imagine a developer releasing a quality piece  
of software, not hoping for it to be used by a large group of people.  
When you rise to such a position of influence, there comes the  
inevitable fact that many people will have opinions on how you use  
this influence, especially where it affects their daily lives.  
Getting upset about this is as pointless as it is for a rockstar to  
complain about the paparazzi.

It is true that a developers of a free product, even if their product  
rose to the level of popularity that it can be considered critical  
infrastructure, have no formal obligations towards their userbase at  
all. It would be silly to claim, however, that they are not  
responsible for the effects their decisions have on a larger  
community. People of character like yourself understand this  
responsibility. Where people's decisions have such tremendous impact,  
declaring outside criticism invalid counters that.

This is not to say that I don't feel empathy for your despair in the  
face of thousands of people that are probably overloading you with  
'helpful suggestions' for your projects, but I think it is best to  
utter such frustrations in the privacy of one's home and let the  
people make their noise. Who knows, sometimes interesting sound rises  
up from such noise.

Kind Regards,
Pim van Riezen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ