On Tue, 25 Jun 2002, Anders Holm wrote:
> Ok, lets see...
>> What I can get out of this is that Theo and Co. actually has
> _tried_ resolving this _with_ vendors,
no, it /seems/ he's only:
"We've been trying to warn vendors about 3.3 and the need for
privsep,"
> but that they are not responding properly to this vulnerability and
> apparently does not seem to care to help out.
no, they are not too keen on rolling out privsep while it is still
new and immature code, (esp. on linux).
> When a new vulnerability is discovered, one _should_ first talk to
> the vendors, as you yourself point out, before going public with an
> announcement like this. But apparently he has done so,
no it /seems/ he /hasnt/ done so. he's keeping the actual details of
the problem close to his chest.
this is what annoys me.
> without any good results.... So, where does he "dictate security
> policy"??
that'd be where the gist of message is: "noone gets advance notice of
the actual bug, but hey our new privsep code is cool everyone on
should upgrade to it"
he has an agenda of wanting people to move to privsep, and is using
this upcoming bug fix to force people to move to it. it seems.
yes i think priv sep seems like a good idea. but it's also fairly
complex, and i'd prefer that the distributors could choose between
rolling out priv sep and rolling out a fix.
> I for one happen to like the idea of getting warned about
> security holes... Don't you?
yes, Theo /isnt/ doing this. (well, other than advance notice he's
going to publish details next week, and tough luck if you're not
running priv sep).
> Theo also states that PrivSep IS NOT A FIX but at least a
> workaround UNTIL a patch can be distributed. So, he is giving
> people a way of closing a flaw until it can be fixed. Since when is
> that bad? Sure, not ideal, but is it _so_ horrible?
did you not notice that both of my 2 main points started with seems?
indeed one had "seems" delimited by slashes to highlight it. this was
intended to suggest that my points were speculative. but maybe those
2 "seems" got lost somewhere.
i speculated on how this /seems/ to me, and we'll find out pans out
over the next week or two.
(and /my/ sad fear is that Theo will release all details of the
problem to the entire public, rather than first release details to
vendors to allow them to start work on new packages - "screw you guys
who havnt upgraded to priv sep and didnt help with porting it to
linux/solaris/pam/etc.", cause that's the way he's often worked in
the past.).
anyway, we'll see how it works out. and no doubt there'll be a lot
more comment on the subject in the weeks to come.
> I'd suggest to calm down and let the hormones cool down, and try to
> realise what is actually being achieved before going on like this.
oh, i do so like to be condescended to.
> Especially flaming someone who not even has been copied on your
> flames, and probably knows nothing of it. Would you like to be
> treated the same way?
well, Theo doesnt need additional flames Cc'ed to him, i'm sure he's
kept warm enough already.
> Oh, Standard disclaimer applies, anything said in this e-mail is my
> view and not the company I work for etc. blah, blah blah.......
> Best Regards
> Anders Holm
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
The explanation requiring the fewest assumptions is the most likely to be
correct.
-- William of Occam
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
