Slashdot Mirror

For those of you who are interested in finding out the facts, start by reading the whole thread on openbsd-tech (eg http://marc.info/?t=129236639300001&r=1&w=2 ), it's only a handful of messages so far and I find Damien Miller's response at http://marc.info/?l=openbsd-tech&m=129237675106730&w=2 particularly enlightening. (You're using Damien's code right now, in some other window -- he's been a major OpenSSH developer for quite a while).

Then again, I have to agree with Bob Beck (see http://marc.info/?l=openbsd-tech&m=129236730027908&w=2 ) that this is fairly likely to part of a personal vendetta of some sort, possibly against either the OpenBSD project or even something totally unrelated, using the OpenBSD project only as the attention-grabber in contexts such as /.

At this point we have only allegations with some finger pointing, I for one look forward to any real information to surface. The best way to draw out the real information behind this is to do what Theo did - publish the allegations and let the involved parties explain themselves in public.

For those of you who are interested in finding out the facts, start by reading the whole thread on openbsd-tech (eg http://marc.info/?t=129236639300001&r=1&w=2 ), it's only a handful of messages so far and I find Damien Miller's response at http://marc.info/?l=openbsd-tech&m=129237675106730&w=2 particularly enlightening. (You're using Damien's code right now, in some other window -- he's been a major OpenSSH developer for quite a while).

Then again, I have to agree with Bob Beck (see http://marc.info/?l=openbsd-tech&m=129236730027908&w=2 ) that this is fairly likely to part of a personal vendetta of some sort, possibly against either the OpenBSD project or even something totally unrelated, using the OpenBSD project only as the attention-grabber in contexts such as /.

At this point we have only allegations with some finger pointing, I for one look forward to any real information to surface. The best way to draw out the real information behind this is to do what Theo did - publish the allegations and let the involved parties explain themselves in public.

For those of you who are interested in finding out the facts, start by reading the whole thread on openbsd-tech (eg http://marc.info/?t=129236639300001&r=1&w=2 ), it's only a handful of messages so far and I find Damien Miller's response at http://marc.info/?l=openbsd-tech&m=129237675106730&w=2 particularly enlightening. (You're using Damien's code right now, in some other window -- he's been a major OpenSSH developer for quite a while).

Then again, I have to agree with Bob Beck (see http://marc.info/?l=openbsd-tech&m=129236730027908&w=2 ) that this is fairly likely to part of a personal vendetta of some sort, possibly against either the OpenBSD project or even something totally unrelated, using the OpenBSD project only as the attention-grabber in contexts such as /.

At this point we have only allegations with some finger pointing, I for one look forward to any real information to surface. The best way to draw out the real information behind this is to do what Theo did - publish the allegations and let the involved parties explain themselves in public.

Given that the following story got posted a short while ago, your post doesn't seem all that insightful anymore. I'm not accusing the gov'tal overlords in the HP case but the powers that lie, cheat and steal are not above pulling a lot of surreptitious shit.

FBI Alleged To Have Backdoored OpenBSD's IPSEC Stack
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

The original message claimed Scott Lowe was on the FBI payroll:

for example Scott Lowe is a well
respected author in virtualization circles who also happens top be on
the FBI payroll, and who has also recently published several tutorials
for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

In response, Scott Lowe has denied any affiliation with the FBI or other government agency.

-molo

How about 16 SSD's ?:

                          ZFS BtrFS
1 SSD 256 MiByte/s 256 MiByte/s
2 SSDs 505 MiByte/s 504 MiByte/s
3 SSDs 736 MiByte/s 756 MiByte/s
4 SSDs 952 MiByte/s 916 MiByte/s
5 SSDs 1226 MiByte/s 986 MiByte/s
6 SSDs 1450 MiByte/s 978 MiByte/s
8 SSDs 1653 MiByte/s 932 MiByte/s
16 SSDs 2750 MiByte/s 919 MiByte/s

http://marc.info/?l=linux-btrfs&m=128101763830740&w=2

They did actually benchmark openindiana as well, which includes the lastest version of ZFS which is available through open source.

Which was faster in some tests and slower in some other tests. It was mostly slower in tests that did include openindiana, but we don't know how it performed in the others. So the test was kind of useless.

Phoronix tested with a single HHD and did tests with a single SSD.

I do however think that the important lesson here is, that from the few people who tested it, on large installations (a large number of SSDs), ZFS/FreeBSD is faster then btrfs/Linux. For example, from Aug 05 2010:

                          ZFS BtrFS
1 SSD 256 MiByte/s 256 MiByte/s
2 SSDs 505 MiByte/s 504 MiByte/s
3 SSDs 736 MiByte/s 756 MiByte/s
4 SSDs 952 MiByte/s 916 MiByte/s
5 SSDs 1226 MiByte/s 986 MiByte/s
6 SSDs 1450 MiByte/s 978 MiByte/s
8 SSDs 1653 MiByte/s 932 MiByte/s
16 SSDs 2750 MiByte/s 919 MiByte/s

http://marc.info/?l=linux-btrfs&m=128101763830740&w=2

Only if the X server or another root process is compromised, I think. Reminds me of this warning from Theo years ago:
http://marc.info/?l=openbsd-misc&m=114738577123893&w=2

Anecdotal evidence that doesn't change the fact that:
1. The Gimp is a derogatory term
http://www.urbandictionary.com/define.php?term=gimp
2. Multiple users have requested that the name be changed
http://marc.info/?l=gimp-user&m=115965440614876

What would be lost if the name was changed? Is it really that great of a name?

A better example from the past of this same sort of attack was back in OpenSSH Portable. Specifically, OpenSSH/PAM timing attack allows remote users identification

Note that this didn't apply to finding passwords, just that invalid users would immediately return an error after the password was entered, while a valid user and incorrect password would have a delay.

Yeah, I use OpenBSD. My firewall's named linksys and the SSID is default, both for sheer entertainment value.

I guess you could describe that as "What's the sound of one-hand clapping?" or "An inside joke of the nth degree". ;-) Entertainment aside, pf users and fans should note the pf syntax changes.

http://marc.info/?l=openssl-announce&m=126987886907671&w=2

http://www.openssl.org/source/exp/CHANGES

-molo

And so MD_Update(&m,buf,j); /* purify complains */ was commented out.

Laurie addresses exactly this point in the entry I linked to. Immediately following the sentence I quoted (and to which you refer):

About 50% of the comments on my post point to this conversation on the openssl-dev mailing list. In this thread, the Debian maintainer states his intention to remove for debugging purposes a couple of lines that are “adding an unintialiased buffer to the pool”. In fact, the first line he quotes is the first one I described above, i.e. the only route to adding anything to the pool. Two OpenSSL developers responded, the first saying “use -DPURIFY” and the second saying “if it helps with debugging, I’m in favor of removing them”. Had they been inspired to check carefully what these lines of code actually were, rather than believing the description, then they would, indeed, have noticed the problem and said something, I am sure. But their response can hardly be taken as unconditional endorsement of the change.

[Emphasis mine]

And so MD_Update(&m,buf,j); /* purify complains */ was wrongly commented out.

It doesn't *have* to be assembly. For instance, you can do runtime patching with python:

http://www.google.com/search?q=adder-0.3.3-win32.zip

The first link is the most interesting one:

http://marc.info/?l=bugtraq&m=108077268919124&w=2

> A sufficiently clever binary can just map
> ld.so and the app into itself and effectively
> execute anyway.

That's ul_exec(). Published in 2004.
http://marc.info/?l=bugtraq&m=107298764827122&w=2

Not Linux. Randomness comes from the time (hardware, persistent), but also from the randomness of network traffic and other driver miscellanea such as HDD head seek times, mouse movements, keystrokes, CPU temperature data, electrical noise on the power supply (with the right hardware)...

If you start the LiveCD only to use online banking there isn't much time between the startup and the time you need randomness for a secret key. The question is if there is enough time to gather sufficient entropy from the environment.

Others have suggested to seed with the current time, but that is easy to guess for an attacker. Netscape's original SSL implementation was broken because the PRNG used only the current time (in microseconds) and the PID as a random seed ([1], [2]).

[1]: http://marc.info/?l=bugtraq&m=87602167418753&w=2
[2]: http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html

Sorry, sir

From Phoronix:

"The tests that were carried out under FreeBSD 7.2, FreeBSD 8.0 RC1, and Ubuntu 9.10 Alpha 6 included timed ImageMagick compilation"

From freebsd-current mailing list:

> Hi,
>
> I would like to ask that the FreeBSD 8.0-RC1 ISO-s free from the
> debugging features (WITNESS, malloc debugging, etc.)? Or these
> services are still being active?

They are gone, for the most part. r197065: http://svn.freebsd.org/viewvc/base?view=revision&revision=197065

Remove extra debugging support that is turned on for head but turned off for stable branches:

- shift to MALLOC_PRODUCTION
- turn off automatic crash dumps
- Remove kernel debuggers, INVARIANTS*[1], WITNESS* from
GENERIC kernel config files[2]


[1] INVARIANTS* left on for ia64 by request marcel
[2] sun4v was left as-is

Debug? No, Sir.
1, 2

Has anyone ever tried TinyDNS? It's creator isnt the most cooperative guy when it comes to Debian standards in terms of binary locations and therefore Debian refuses to add it to their repository.

It's creator, Daniel J. Bernstein (DJB), isn't the most cooperative guy, period. His reputation precedes him as "extremely intelligent, but kind of an asshole", each and every time his name is mentioned.

It has never been DNS cache poisoned, it has never been hacked at all. In fact there is a reward for anyone that can.

It has been cache poisoned, on February 25, 2009 Matthew Dempsky disclosed a vulnerability, he claimed the $1,000 prize a week later.

Security Issue in djbdns
djbdns misformats some long response packets; patch and example
Dan Kaminsky, twitter feed: Dempsky's bug in djb's tinydns...
Dan Bernstein Confirms Security Flaw In Djbdns

Here is another unrelated DNS cache poisoning paper by Kevin Day, published date February 9, 2009.

Rapid DNS Poisoning in djbdns

Any developer who offers a monetary prize for security bug quashing is going to eventually part with their money.

Here is a link to the start of thread that has not been slashdotted ... yet.
http://marc.info/?l=linux-kernel&m=124870096801094&w=2

Russell,

Here are some ideas:

Size the job. In this case your focus is too narrow. You are focusing on yourself, when you should focusing on the entire human condition.

Examine your assumptions. Are you making assumptions? Are your assumptions justified?

In this case, you are making assumptions that are not justified. You think the problem is you, but look more closely. Is that actually true?

You are excellent at expressing yourself. You have made kind (1) (2) and gentle and humble (1) (2) statements.

People think "geek" means someone who has been psychologically damaged by bad parenting. Maybe that happened to you, but you have grown a lot in recent years.

Use words carefully. Often technically-knowledgeable people are self-defeating. On Slashdot, you call yourself "JustShootMe". You say you are a "geek". You say, "meatspace", a term sure to be misunderstood by most people.

Women want to meet you. Single women partly have the same problems you have. They need to meet a suitable person of the opposite sex. If you look like you are seriously looking, they will sense that immediately. If you give the impression you are only interested in seriously interesting women, a seriously interesting woman will realize that immediately.

Resolve your unhealthy fears. Talk with every woman who wants to talk with you.

Advertise your availability. Finding a significant other is a huge problem. Most people can sympathize. Make sure everyone, even people you meet casually, know you are serious about finding a significant other.

The Los Angeles area is an extremely difficult place to meet a woman who wants a serious relationship. I thought about this for many years when I lived in Huntington Beach. My best theory is that the phoniness and dishonesty and artificiality of the Hollywood film industry has infected the entire culture of Los Angeles.

The U.S. culture is undergoing a cultural breakdown. No one understands completely why, but sometimes countries become self-destructive. When there is a cultural breakdown, the level of anxiety increases. It becomes far more difficult to make stable relationships.

The U.S. government has invaded or bombed 25 countries since the 2nd world war, all apparently for profit for weapons and oil investors, and other private interests. For example, read the book, House of Bush, House of Saud. The Bush family supported the interests of whomever gave it money, against the interests of the United States. The Saudis were willing to provide 1.4 billion dollars, so they got what they wanted.

Other examples: 1) The Savings and Loan crisis was arranged to steal money from taxpayers. 2) It was arranged that, instead of pensions managed by professionals, taxpayers would have "IRAs" they managed themselves. Since only highly trained professionals who spend all day thinking about investments can compete in the stock market, most taxpayers lose money to the professionals. 3) Warren Buffett very publicly called derivatives "financial weapons of mass destruction" beginning in 2002. However, the laws designed to prevent fraud were removed at the beginning of George W. Bush's first term. They were not re-instated. The forces of corruption were greater than the forces towar

Yes, a Windows 7 streaming server is fine, but I don't have any Windows PCs at home. Amazing timing of this article actually - I've just run CAT5e cable throughout the house and got everthing connected, and had begun researching my options for getting my XBOX360 to use media files from my OpenBSD server. Has anyone done this?

I found a related thread on misc@ which did not provide a solution, but I contacted the thread's original author and he has still not found a solution.

I seriously don't know what you were reading but it wasn't Keir's blog posting. There was absolutely nothing in there about fanbois

I believe there is a bit of a misunderstanding here. First I was responding to a rant about fanbois making another slashdot reader nearly homicidal, second the slashdot reader and Keir's article about linux critics were both referring to what happened on Keir's blog when he posted the criticism of Firefox and Ubuntu, he was flamed by fanbois. I was not commenting on any statements by Keir about fanbois per se. But Keir was commenting on his conclusion that "there aren't many critics within the community" based on the fact that he was flamed on his blog by fanbois. Note to Keir and anyone else who is flamed by fanbois, fanbois posting on a blog != the linux community. And in fact there is criticism, debate, flaming, etc. within the linux development community, all one has to do is peruse the archives of the linux kernel mailing lists.

suggest the critic needs to grow a thicker skin with the implication that if the he doesn't like it, tough, and he should STFU.

Uh, no, you are reading much more into what I wrote. The fact is I was suggesting that the slashdot reader and Keir should basically go along with their business and not let the fanbois cause them grief or dismay. I in no way suggested that Keir STFU and actually quite the opposite suggested he simply ignore the flames.

I am now being modded in to the -1 basement as you read this, if you even read -1.

Looks to me that there was no modding what so ever. Oddly enough, I actually do have my threshold set to read -1 comments for the exact reasoning you suspected you would be modded to -1. For the most part comments that are modded down are deserving, but occasionally there are valuable comments that are trashed by fanbois.

The following things in Linux cause me deep concern, they never get fixed and they've pushed me, like a lot of hardcore Linux people to the Mac.... and I've had a Linux desktop for like 10 years

Similar background here, started playing with linux in 1997, purchased a used Power Mac dual 1GHz G4 in the MDD case. But the reasons were a bit different, either I was having fewer issues with linux or was able to resolve mine, I was simply interested to see what all the fuss was about with the new OSX. It was a nice system, other than the cooling fans that sounded like a vacuum cleaner when the system warmed up, but I sold it a few months back as I was not interested in paying for a simple OS update. I now run linux on all my systems from my laptop and desktop to the various servers and routers I use.

The whole GNOME versus KDE thing is pretty much killing desktop Linux

We hear that a lot, but I can't say I agree. Nobody is forced to use either so you pick the one you like.

GTK is a horrible toolkit to build anything on. I used to love KDE but it completely impaled itself with 4.0. I blame Trolltech for constantly changing their toolkit which trashed all the KDE code built on top of it, and KDE

I hear ya there. Its actually been awhile since I did any desktop application development but the QT Designer I used to create QT based applications was light years ahead of the GTK tools. Funny thing is though I preferred the Gnome desktop. :)

Linux Audio in particular and multimedia in general is a train wreck

Linux is definitely worse off than Windows or OSX in multimedia, but IMO the entire media market is a train wreck due to the antics both content providers and the developers who are feeding off their idiocy. I've had my fair share of pains setting up audio on some systems so you may have a valid point on the ALSA drivers. I would note howev

Oh ffs, the OpenSSL developers were just as responsible for the snafu as Debian was. More so I'd say since the Debian developer asked on the openssl-dev list about his patch and whether anyone had any objections to it. Here's the response he got from a OpenSSL developer:http://marc.info/?l=openssl-dev&m=114652287210110&w=2/

List: openssl-dev
Subject: Re: Random number generator, uninitialised data and valgrind.
From: Ulf_Möller
Date: 2006-05-01 22:34:12
Message-ID: 44568CE4.9020906 () openssl ! org
[Download message RAW]

Kurt Roeckx schrieb:
> What I currently see as best option is to actually comment out
> those 2 lines of code. But I have no idea what effect this
> really has on the RNG. The only effect I see is that the pool
> might receive less entropy. But on the other hand, I'm not even
> sure how much entropy some unitialised data has.
>
Not much. If it helps with debugging, I'm in favor of removing them.
(However the last time I checked, valgrind reported thousands of bogus
error messages. Has that situation gotten better?)

Got that? He was given the ok by a OpenSSL developer. They're every bit as responsible as Debian.

I'll just let RMS himself answer that one.

I agree with him on this one (I'm sure that will come as a great relief to RMS {/sarcasm}). MP3 is a proprietary codec and is riddled with patent liability (is it Lucent that own most of it now?) and so forth. More and more media players support FLAC and Vorbis and the need to use MP3 is shrinking by the day. If only the Shoutcast mob would stop using it exclusively.

Exactly my point, but worded in a far better way. I tend to use FLAC or Vorbis instead of MP3 and I try to choose my hardware with an eye to various HCLs. I use ATi or Intel graphics where possible (sorry, Via, your S3 offerings are simply not compatible enough, although you do try to be open) due to things like GEM and AMD's R6/700 information release. This goes to pieces when purchasing notebooks, naturally.

However, I am in the enviable position of being the final arbiter of what goes into the machines I have to use and I can justify the choices based on other, non-free software issues.

I note you mention Fedora. IMHO Red Hat have the balance just right: The base is untainted but there are methods to install what you need should you find it necessary. It's the same with FreeBSD: The base is pure free software (I can say that now since the Atheros HAL is fully open and the Intel wireless stuff requires a licence ack to activate). The ports, on the other hand, point to all sorts of non-free, possibly binary-only code (RMS has criticised OpenBSD's ports system for this publicly) which you may install if you feel the need. Note that ports/pkgsrc does not distribute the actual binary or source code, just provides a pointer to it. Quite how this is wrong I fail to see. As you so rightly said, getting some things to work can be a total PITA and anything that eases this workload has to be a good thing for free software in general. I think the bottom line we both agree on is that we have to be able to interoperate with non-free formats while we're in the minority. This may put us at odds with some people's version of "freedom" but still remains necessary to function properly in the current IT ecosystem.

Perhaps more interesting is simply the release scheduling issue. I'm getting slowly ready to do a real 2.6.28, but I don't think anybody really wants the merge window to be around the holidays. So the question is really whether to (a) just make the -rc's go on a few more weeks, and do 2.6.28 after xmas I like this, because alledgely people are debugging things, and we'd get a more stable 2.6.28. or (b) release in a week or two, but just allow for possibly extending the merge window due to people being drunk on eggnog.. I like this because let's face it, we get more and better bug information after releases, and everything _should_ be ready for merging *before* the merge window anyway. or (c) some other crazy scheme that somebody comes up with in a drug-induced stupor. So I haven't quite decided on that thing yet, but I'm open to suggestions. Linus

Note that atheros already release a "legacy" HAL 2 months ago : http://marc.info/?l=linux-wireless&m=122246623707038&w=2

They told me that is not such an great idea
http://marc.info/?t=122174931400009&r=1&w=2
and i agree that it will break things but it would make php more friendly to java script programmers
I don't know if they researched the solutions to this issue from other programming languges:python , perl , ruby , pascal ....

Have they fixed the aacraid driver yet? The new kernel doesn't do me a bit of good if all I get on boot is a continuous stream of:

aac_srb: aac_fib_send failed with status: 8195

and my disk array is not recognized.

http://lkml.org/lkml/2008/5/12/365

https://bugzilla.redhat.com/show_bug.cgi?id=450444

http://bugs.gentoo.org/show_bug.cgi?id=233364

http://bugs.centos.org/bug_view_advanced_page.php?bug_id=2911

http://marc.info/?l=linux-kernel&m=122166454808377&w=2

http://linux.derkeiler.com/Mailing-Lists/Kernel/2008-10/msg02493.html

A surprisingly large fraction of applicants, even those with masters' degrees and PhDs in computer science, fail during interviews when asked to carry out basic programming tasks. For example, I've personally interviewed graduates who can't answer "Write a loop that counts from 1 to 10" or "What's the number after F in hexadecimal?" Less trivially, I've interviewed many candidates who can't use recursion to solve a real problem. These are basic skills; anyone who lacks them probably hasn't done much programming. Speaking on behalf of software engineers who have to interview prospective new hires, I can safely say that we're tired of talking to candidates who can't program their way out of a paper bag.

My pet peeve these days is diploma mills. A certain big, well-regarded university I know of seems to churn out unqualified masters students. I talked with the dean of CS there once about it, and he just said "We're already requiring so many courses, we can't require any more". Perhaps they need to be pickier about who they admit, but I've heard it speculated that the CS masters program is a profit center; and being pickier would hurt their bottom line.

Another useful data point is whether the person in question successfully gets lots of code into well-run open source projects like Wine or the Linux kernel. Handy tools to search for commits include http://ohloh.net/ http://marc.info/ and http://cia.vc/ . (And yes, despite being a wine advocate for years, I have fewer than 100 patches in. Lame! :-)

"This is a University, not a business."

I hate to break this to you, but universities are businesses, and reasonably large ones.

"There's no cost, no down time."

Every successful intrusion costs, and requires down-time. Sure, the guy SAYS he didn't do anything bad or leave behind any surprises, but how far can you trust a guy who broke into your system to begin with?

"I'm sick an tired of seeing these cookie cutter CIS & IST majors graduating having ZERO or less then one year of real world experience. I would much rather hire this guy."

I strongly recommend you read this email from Marcus Ranum to the firewall-wizards mailing-list for an alternative point of view.

Charles

It was posted on the djbdns list : http://marc.info/?l=djbdns&m=121832806123954&w=2

"The only way to support all of the new DNS protocol enhancements was to totally rewrite BIND.

BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND architecture.

That said, I don't _plan_ messages or obfuscate them, so "overflow" might well be part of the message just because it simply describes the fix. So I'm not claiming that the messages can never help somebody pinpoint interesting commits to look at, I'm just also not at all interested in doing so reliably.

He doesn't believe in obfuscating changelogs, just not filling them with security information making it easy to find vulnerable kernels.

There's malware out there that takes advantage of security holes in Windows that are only known to the malware authors (and never reported to Microsoft). That dwarfs my earlier 10% number by potentially increasing it to 90+% of the PCs out there.

If mallware attracts attention the bugs in Windows will get fixed. By keeping a low profile the can continue to exploit these bugs. Intel does _not_ fix all the errata and even if they would do so, who will update their CPU microcode?

To add, CPU errata can be worked around by the BIOS and software.

Again, not all errata get fixed by Intel and who updates their BIOS? As for the OS/Application level:

As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.

Source.

Think of it this way... If the programmers of Adobe Illustrator found that specific CPUs were unable to properly calculate/draw a circle correctly due to CPU errata, the responsibility would fall on those programmers to come up with a workaround.

The bugs are in Intel hardware (or microcode), why would Adobe be responsible for a workaround?

Now that you mention OpenBSD, I recall an email from Theo de Raadt (2007-06-27 17:08:16 - source):

As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.

People have been aware that microprocessor bugs are potentially quite dangerous for some time now. Here's a write-up of Adi Shamir's report to RISKS about using processing bugs to steal private encryption keys.

Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us. Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware. Now Intel is telling people to manage the MMU's TLB flushes in a new and different way. Yet even if we do so, some of the errata listed are unaffected by doing so.
As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.

And from TFA:

"It's possible to fix most of the bugs, and Intel provides workarounds to the major BIOS vendors," Kaspersky said, referring to the code that controls the most basic functions of a PC. "However, not every vendor uses it and some bugs have no workarounds."

Sounds like the the same issues to me.

I think what he means is less choices now makes more choices tomorrow. And here we've reached the exact point where the hair splits. Same Stallman, same thread:

"... I can encourage installing Emacs, GCC or OpenOffice on Windows, but I should not encourage installing non-free programs on GNU/Linux or BSD, just as I should not encourage installing Windows." (here)

"Providing a recipe to install a non-free program is very direct and clear support for its use. Making your free program work with something non-free if that's already installed is not such a direct message of support." (here)

I think what he means is less choices now makes more choices tomorrow. And here we've reached the exact point where the hair splits. Same Stallman, same thread:

"... I can encourage installing Emacs, GCC or OpenOffice on Windows, but I should not encourage installing non-free programs on GNU/Linux or BSD, just as I should not encourage installing Windows." (here)

"Providing a recipe to install a non-free program is very direct and clear support for its use. Making your free program work with something non-free if that's already installed is not such a direct message of support." (here)

It's true.

Stallman: "Since I consider non-free software to be unethical and antisocial, I think it would be wrong for me to recommend it to others. Therefore, if a collection of software contains (or suggests installation of) some non-free program, I do not recommend it. The systems I recommend are therefore those that do not contain (or suggest installation of) non-free software." (from here)

From the should-I-comment-out-these-lines post, apparently both lines were flagged, or at least the person using the tool thought they were flagged, which has much the same effect.

I doubt that a malicious mole would have invited this exchange. But perhaps that makes it all-the-more brilliant, hmm?

Seriously, if one wanted to compromise the Debian codebase, there'd be far subtler places to do it. The fact that this gaping hole went undetected for two years suggests that there's probably little need to insert new ones.

He might have, uh, I don't know, ummmmmmmmmm... gotten the opinion of the upstream developers first?

http://marc.info/?l=openssl-dev&m=114651085826293&w=2

this is exactly what he did. And upsteam agreed it was a good idea

http://marc.info/?l=openssl-dev&m=114652287210110&w=2

Ronny

Wow, that was still a really stupid patch. There was an #ifndef PURIFY there for a reason. It's because the openssl authors knew that line would cause trouble in a memory debuger like Purify or Valgrind. http://en.wikipedia.org/wiki/IBM_Rational_Purify

Looks like Kurt didn't feel quite sure about the patch from the start:

http://marc.info/?l=openssl-dev&m=114651085826293&w=2

In a follow-up message, Ulf Möller of OpenSSL approved of the patch. He at least should have known better.

Imagine if Microsoft reserved the right to modify any software for Windows in any way it saw fit! Yet that's exactly what Debian (and Fedora and Mandrake and Ubuntu) said to me - they reserve the right to make any modifications they like to the software they ship, and if upstream don't like it, tough luck.

Though, as has been pointed out elsewhere, the Debian package maintainer did raise this issue with the openssl developers, and was basically told "go ahead, it's OK."

The consensus in the bug report seems to be not to do it, but then someone adds the patch anyways.

The package maintainer first checked with upstream about the best way to resolve this. In retrospect, it's clear that upstream didn't either understand what was being asked, or what the code was doing. In any event, another Debian Developer, Luciano Bello, later found the problem and resolved it.