Sniping at OpenBSD

Noel writes "An article at RootPrompt.org talks about the reaction to the announcements by the OpenBSD developer team about new exploits that implied that the developers had been hiding the truth about the exploits so as to not tarnish the reputation of OpenBSD."

Molehill

[frankie]

This is a non-issue. I read the whole silly flamewar on Bugtraq, and I agree with Theo. The point of OpenBSD is that they repair the source IN ADVANCE, even before they know what the potential problems are.

People found an exploit for a version that's two months out of date, and they're having sour grapes because they only got to bask in the H4X0R spotlight for negative sixty days.

Re:Molehill

[SirGeek]

And how many people are still running the 2month old version ? 95% of people do NOT run the latest and greatest (especailly companies where they have to run the same version on all systems until it has been tested) and in fact, most probably skip versions or they would have to update all their servers every few months (not easy or practical).

The problem that bugtraq has ( I think ) is that they fix "bugs" (not really, its programming style) and then don't tell anyone that it "could" be exploited... then when some other BSD does get bitten by the "bug" they yell "See.. We fixed it already ..." (when they should have at least announced the potential for it to be exploited.)

Re:Molehill

[DrWiggy]

Yeah, but they don't fix every bug do they? For example, now format string bugs are starting to appear, there is a whole new class of vulnerability that caught even the OpenBSD off-guard.

With regards to keeping the holes they find to themselves - well, if you had ever tried writing an exploit, you would realise that just because there is a dodgy function call deep within a load of code, being able to exploit that vulnerability is another matter completely. I think they just patch everything they can, and if it's later found to be exploitable then I think they have the right to say they fixed that hole 3 years ago. :-)

Whats your OS audience / community / tribe

[sniggly]

Those who require the tight security OpenBSD provides are also those who will have subscribed to the relevant OpenBSD announcement lists so they always have the opportunity to fix any problem that might lead to an exploit.

If you require tight security and yet you run an OS without the latest security patches youre asking for trouble no matter what OS you're using.

<I'm getting tired of this mode on>
At times its discouraging to see so much pointless bickering and the "My CPU/OS/GUI/Car/Race/Planet/Dogma is better than yours" and all the "neer neer neer" having to do with that attitude. And it makes me shake my head to in some cases to see some media pick up on it and actually present some of this dreary immature factionalism fit for the stone age as if it represents the viewpoint of any sizeable group or even project.

To say that OpenBSD "was hiding the truth" by not flooding BugTraq (while posting everything you ever wanted to know on their website and in their lists) is just that type of time wasting drivel. You wouldn't rely on the new york times to tell you about whats going on in Kansas city; no you rely on sources of information relevant to you and scaled to your domain.
<getting tired of this mode off>

Sorry about that, im actually still capable of getting worked up over this :)