[ale] Another SSH Release?
Jonathan Rickman
jonathan at xcorps.net
Wed Sep 17 00:08:29 EDT 2003
On Tuesday 16 September 2003 23:20, Chris Ricker wrote:
> On Tue, 16 Sep 2003, Jonathan Rickman wrote:
> > Not sure what's going on, since the developers remain silent.
>
> Not entirely silent. The advisory at
> <http://www.openssh.com/txt/buffer.adv> was updated....
I'm referring more to their lack of official public announcement. The
existence of that document was largely unknown until someone not
affiliated with the maintainers stumbled into it and posted it to a
public list. IMO the OpenSSH team should have released an official
advisory to every mailing list under the sun no later than noon today.
Their relative silence on this is VERY disturbing if you ask me. At this
point I believe that they have every intention of burying this in the
hopes that everyone will just shut up about it. This will be the second
time this has happened. They largely succeeded in their last attempt. I
am not a Theo hater, but I can certainly see the merits of the arguments
presented by the unofficial "Theo Hater Club". For instance...
>From http://www.openbsd.org/security.html
"Like many readers of the BUGTRAQ mailing list, we believe in full
disclosure of security problems. In the operating system arena, we were
probably the first to embrace the concept. Many vendors, even of free
software, still try to hide issues from their users.
Security information moves very fast in cracker circles. On the other
hand, our experience is that coding and releasing of proper security
fixes typically requires about an hour of work -- very fast fix
turnaround is possible. Thus we think that full disclosure helps the
people who really care about security."
...this quote demonstrates a willingness to talk the talk. But they seem
to be failing to deliver on the other part of the cliche. Again, I
appreciate the work these guys do. They have arguably had as much impact
on the state of security in the Open Source world as anyone out there (if
not more). But again, they do seem to be placing a higher priority on the
security of their egos as of late.
--
Jonathan Rickman
Key ID: 0DF501FF
More information about the Ale
mailing list