> This is idiotic, a big hole was found and the devs pissed about > because they didn't want to admit it.
Noone in OpenBSD is pissed off about this. We posted the bug fix as soon as we became aware of the problem. The timeline goes like this: 1) We were told there was a mbuf crash, which could remotely CRASH the machine. There was no proof that more could be done, not even a whiff. 2) We commited the fix, about 24 hours later. It took a few days to get the errata up because the people who do that were at a conference. It was labelled as a RELIABILITY FIX because everyone felt it was just a CRASH. I then entered into a long conversation with Core explaining why we label crash fixes (even remote) as RELIABILITY FIXES. 3) Core felt maybe something more could be done and continued working, and ONE WEEK LATER later, finally managed to show us brand new code which showed that intrusion was possible. Before that moment, it was still just confirmed to be a CRASH. 4) A few hours after we become aware that it was more than a CRASH, we changed the advisory to say it was a real security risk. We first had to get the patch into -stable, I changed index.html to talk about there being TWO remote holes in more than 10 years, without even discussing this with any other developer, because I knew it was true. Other developers in the group were stunned to see me change it. 5) Core decided that their advisory should include their interpretation of our discussion as to why OpenBSD labels crash fixes as RELIABILITY FIXES. Three times I told them that I thought that was a mistake, and that the public would not understand the reasoning as they wrote it. That is what happened. If you don't believe me, mail Ivan Arce at Core and ask him if any of the 5 points above are wrong. Come on, go ask him if I am a liar... go ahead. Yes, some of the press got it wrong too, and part of that I feel is Ivan Arce's fault. He should have been more cautious at explaining the complex discussion OpenBSD had with Core, where we explained why we label errata for remote crashes a Reliability Fix. Or he should have skipped it altogether. He even went around telling the press that this shows that IPV6 is a risky new technology, when the fact is that this was a mbuf corruption bug, in code that all parts of the network stack could potentially use in the same way. He's got his layers wrong. But finding bugs in other people's software lets companies like Core sell themselves as experts. They are experts, but the good press they get should not cost us in this way. Let's see... the fsck_ffs fix pedro commited a few hours ago. That fixes a serious problem where fsck fails to spot filesystem corruption. Should we spend time fully assessing how rare or common this situation is, and then errata it up the stream as fast as possible, maybe even consider if there are security risks from such filesystem corruption? Come on. Yet that is what some non-experts moan for. They want projects with only a few people (who are doing this for a hobby) to struggle down these well-defined paths that their little brains can understand. They don't understand all the other things that developers do, so they wish to cubby-hole us into these procedures. In the last 10 years they have not gotten us to behave so, and in the next 10 years it won't happen either. The reality is that people don't hold their own mothers as accountable as they are trying to do here with us, yelling "conspiracy", "downplay", etc. The minute someone moans for a posting to the security-announce list they have removed any desire from me to do so. And the same comes for any other errata. If people on our mailing list are going to be such jerks about patches which we do make available, then maybe we'll spend a whole lot less effort making errata and updating -stable. The whole concept of being subserviant towards a community of jerks is not realistitic. > Move on and end this. > > Theo, chill out. I've been chill the entire time. If I have not been around much on the lists, it is because I'm getting 4.1 out the door. I really don't understand why a few people have to be assholes about this. Go fix the problems in your own lives first...
