On 5/16/25 12:31 PM, Taylor R Campbell wrote: > It is not nonsensical, and it is not the inconsequential pedantry you > are suggesting. Please consider avoiding sarcastic disparagement when > publicly discussing the factual matters of security reports. > > The report says that `NetBSD 10.1' is affected. This is not quite > right, _and it matters_ even if you set aside the fact that NetBSD > 10.1 itself (which does ship tmux!) does not ship screen, because:
NetBSD 10.1 (and earlier) is affected (if you use its package manager to install screen). Arch Linux is affected (if you use its package manager to install screen). Debian 12.10 (but this is not quite right!!!1!11!!!oneoneeleven. The same packages are available on e.g. Debian 13, 11, etc) is affected (if you use its package manager to install screen). Ubuntu 24.04.10 (but this is not quite right!!!1!11!!!oneoneeleven. The same packages are available on e.g. Ubuntu 22.04, 24.10, 25.04, 25.10) is affected (if you use its package manager to install screen). Gentoo (but this is not quite right!!!1!11!!!oneoneeleven. The same packages are available on e.g. macOS Prefix) is affected (if you use its package manager to install screen). > (a) the same pkgsrc packages are available on, e.g., NetBSD 9.x (which > is not EOL); and > > (b) pkgsrc is used on platforms other than NetBSD, including macOS, > SmartOS, and various Linux distributions (e.g., for unprivileged > use on HPC clusters where it is more flexible and up-to-date than > the Linux distribution's package manager). > > That is why it would be more accurate for the report to say > `pkgsrc-2025Q1', not `NetBSD 10.1'. I strongly dispute this. It should instead list both, as both are affected. (Again, b is the same distinction as "Gentoo, but also portage-20250508, are both affected".) But the list of affected distributions wasn't complete, and likely wasn't intended to be. Nor was its list of distribution *versions*. It didn't list affected versions for Adelie, Alpine, CRUX, Exherbo, Guix, Homebrew, Mageia, Mandriva, Solus, Void Linux... I'll reiterate that claiming NetBSD is "not affected" because "the base installation doesn't preinstall it" is nonsensical, and highly reminiscent of, erm, a different BSD that uses similar logic to conclude that "the base installation" does not need useless bloat such as TrustedBSD. I encourage you to relax and stop feeling like the honor of NetBSD is at stake if you fail to prove that "NetBSD 10.1" was exempt from the same issue all other distributors had. It's no embarrassment for an operating system to have the builtin capability to install software, you can just *not* treat it like an unwanted and uninvited guest tracking mud all over the kitchen that needs to be disavowed. -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
