[svlug] OpenSSH vulnerability (Where's the beef?)

[Don Marti]

begin J. Paul Reed quotation of Tue, Jun 25, 2002 at 03:27:15PM -0700:

> You are correct that we don't have any less information in C than we would
> in B, but we have a *whole* lot more DISinformation and "panic" by people
> who are acting without critically thinking; they're acting because "Theo
> told me to," and that's unacceptable and incompatible with open source
> software.

If you can't evaluate information and think critically about security
risks, you probably shouldn't be running a server anyway.

> If De Raadt had handled this in a mature manner, he would've either saved
> his marketing press release (aka his "vulnerability" notice, which tells
> everyone NOTHING) for when he was done fixing the (supposed) bugs in his
> software, or if it was huge of a problem, he would've published the details
> the exploit, and (if his ego weren't so big) maybe a request for help.

If Theo's mail told everyone nothing, what makes it such a big deal?
I write mail that says nothing all the time -- better flame me.

> A work-around of "use my spiffy code that's untested on your platform" is
> not acceptable; that's code for "I'm more interested in pushing my new code
> than fixing my old code."

I see, Theo must have some obligation to you, for you to be able
to say what is and isn't "acceptable" behavior for him.  So, in
that case, if you're mad you should fire his lazy ass.

-- 
Don Marti                                          
http://zgp.org/~dmarti                       Help spread accurate information 
dmarti at zgp.org                      about Xenu and the Church of Scientology.
KG6INA           <a href="http://xenu.net/">Scientology</a> on your web site.