Re: Fwd: Any user can panic OpenBSD machine

[perry () piermont com (Perry E. Metzger)]

Theo de Raadt writes:
> > > did it.  Now, shall I list 50 ways to crash a NetBSD box from the shell?
> >
> > I would highly appreciate it if you would. The NetBSD project believes
> > in the same philosophy of open disclosure that the BUGTRAQ mailing
> > list runs on. What you know about you can fix, what you don't know
> > about *can* hurt you. By all means, please make your list public.  If
> > you tell us about these 50 ways to crash a NetBSD box from the shell,
> > we can fix them. If you don't tell us about them, we cannot fix them.
>
> Our source tree is available for anonymous cvs.  You can look at it.
> Detailed commit messages are available.

Most of your security CVS messages, Theo, say things like "pretty" or
"oops" or "fixed problem". This doesn't help people who are watching
your CVS commits list much -- it is hard to read every line you add to
your source tree. It would be much easier if you simply sent out
security information in a reasonably detailed way.

If you actually have 50 ways to crash a NetBSD box from the shell,
please, by all means tell us what they are. BUGTRAQ is primarily for
full disclosure, not for telling us that you know something we don't
know.

> How about the various problems at http://www.openbsd.org/security.html
> which have been sitting there for months?

I believe we've fixed those, except for the ones that do not apply to
us and a few on which there are honest disagreements.

> I'm sorry, Perry.  I am not being paid to audit your insecure little
> operating system managed by nasty argumentative people.

Sigh.

I was under the impression that most people around here are believers
in the Open Source philosophy and would rather share information than
hoard it.

In any case, I hope that most people around here are more generous
about trying to help each other out in improving system
security. That's what BUGTRAQ is for, after all.


Perry