[ale] Another SSH Release?

Jonathan Rickman jonathan at xcorps.net
Wed Sep 17 00:08:29 EDT 2003


On Tuesday 16 September 2003 23:20, Chris Ricker wrote:
> On Tue, 16 Sep 2003, Jonathan Rickman wrote:
> > Not sure what's going on, since the developers remain silent.
>
> Not entirely silent. The advisory at
> <http://www.openssh.com/txt/buffer.adv> was updated....
 
I'm referring more to their lack of official public announcement. The 
existence of that document was largely unknown until someone not 
affiliated with the maintainers stumbled into it and posted it to a 
public list. IMO the OpenSSH team should have released an official 
advisory to every mailing list under the sun no later than noon today. 
Their relative silence on this is VERY disturbing if you ask me. At this 
point I believe that they have every intention of burying this in the 
hopes that everyone will just shut up about it. This will be the second 
time this has happened. They largely succeeded in their last attempt. I 
am not a Theo hater, but I can certainly see the merits of the arguments 
presented by the unofficial "Theo Hater Club". For instance...

>From http://www.openbsd.org/security.html

"Like many readers of the BUGTRAQ mailing list, we believe in full 
disclosure of security problems. In the operating system arena, we were 
probably the first to embrace the concept. Many vendors, even of free 
software, still try to hide issues from their users.

Security information moves very fast in cracker circles. On the other 
hand, our experience is that coding and releasing of proper security 
fixes typically requires about an hour of work -- very fast fix 
turnaround is possible. Thus we think that full disclosure helps the 
people who really care about security."

...this quote demonstrates a willingness to talk the talk. But they seem 
to be failing to deliver on the other part of the cliche. Again, I 
appreciate the work these guys do. They have arguably had as much impact 
on the state of security in the Open Source world as anyone out there (if 
not more). But again, they do seem to be placing a higher priority on the 
security of their egos as of late.

-- 
Jonathan Rickman
Key ID: 0DF501FF




More information about the Ale mailing list