Dude, he said "assuming they have authority to do so." If you take computers home from the office and you're authorized by management to do so then is it OK? Yes, of course it is.
One tiny thing I've always wondered about is whether Microsoft people use diffs to the same extent as open source people. In that kind of build-fix model I'd be inclined as a developer to pass around a patch that I thought fixed the problem. But there doesn't seem to be the same awareness of patch/diff as tools.
Are they still using Perforce, or something more tricky? 5000 developers is a hell of a SCM problem.
Imagine testing an Xwindows application to configure networking while the kernel is changing, the networking core is changing, Xwindows is changing, the shell is changing, the compiler is changing, your application is changing, and the tools you use to test with are changing. It is a challenging job.
Allows for multiple independent subsystem operation (e.g. Win32 and OS2/1.0 and POSIX); significantly more advanced than (e.g.) Linux and BSD.
This is a complete furphy. Have you ever heard of anyone actually using the POSIX or OS/2 subsystems of NT? I certainly haven't. The fact that the APIs are intentionally crippled might have something to do with -- there's not even any networking support under POSIX. They were put there merely to satisfy the "POSIX compliant" checkbox.
With Linux anyone can implement a new process personality, and this has been used to support Solaris binaries on linux-sparc or SCO (heh) binaries on linux-x86. There is genuine and practical support for providing multiple APIs.
NT has the classic microkernel problem of being incredibly flexible and tidy in theory, but messy and limited in practice.
Um, that's what he was saying: holding program managers accountable for shipped bugs won't stop bugs shipping, but it might make them think twice.
(Though you might hope they'd think twice about it just out of professional pride... but I think at MS the need to crush the opposition has overwhelmed consideration of quality.)
Of course you're right. I thought "patent" and for some reason typed "copyright".
End users cannot be held accountable because they bought a product that included someone elses copyrighted code.
That seems right to me, but I wonder. A lot of SCO's FUD against Linux users relies on the idea that customers may be liable. Their letter says:
[...] Linux distributors do not warrant the legal integrity of the Linux code provided to customers. Therefore legal liability that may arise from the Linux development process may also rest with the end user.
Since proprietary licences generally disclaim liability too one would expect their customers to be in the same position -- at least if it is possible to disclaim liability for this.
Microsoft has been convicted of copyright infringement before
I wonder how many cases have been settled before going to trial, or went to court without a conviction. Just from the sheer number of programs they've released I would think it must have happened a few times.
The other thing I find bizarre about SCO's letter is their contention that proprietary groups do more to prevent copying. In nearly a decade in commercial software I've never seen or even heard of a development organization that does anything more to prevent plagiarism of code than the Linux team do. And that is: if a programmer suddenly comes up with heaps of code that looks a bit different, people wonder where they got it from. I don't really see how any organization can do any more than that -- well, and hiring ethical programmers. Proving that a particular line was never written before is pretty impossible.
Could this have been avoided using Microsoft? No, and it's important to make sure people remember that.
Customers of Microsoft were exposed to lawsuits when Microsoft breached Timeline's copyright with code in SQL server.
I don't see any Linux customers having their business disrupted and confidential information disturbed by an SPA raid, driven by a rumour from a disgruntled ex-employee. That happens to Microsoft customers regularly.
It sounds like the worst of both worlds to me -- it's not free (speech or beer) but it also doesn't have the broad support of Windows or Mac OS. Sheesh.
I'm sure this will appeal to some people who like installing new OSs for the heck of it, but why not try some of the interesting freeones first?
That's right. For example, you apparently can't do networking from inside their POSIX subsystem -- and how useful is a Unix installation without even localhost networking?
The book "Undocumented NT" (by three Indian dudes whose names I forget) has a fascinating dissection and explanation of this. Microsoft very cleverly made themselves strictly compliant with POSIX, while making sure that nobody would ever want to use it. But they also left open to themselves, through undocumented APIs, the option of later making the subsystem practically useful. So if it had turned out that POSIX was popular and their plan to move everyone to Win32 failed, then they'd be able to fall back to that, and no doubt embrace-extend-extinguish POSIX. Evil, but kind of clever.
Let's further assume that Company E released the product to User X under the GPL, before realizing that it included code they didn't mean to release.
There are really two issues here: is company D's behaviour tortious? And is X still allowed to use the product under the GPL?
Clearly, D is in trouble, and they had better make damn sure they educate and control their programmers better in future. Their problems are not really particular to the GPL. D would have a similar problem if a programmer copied in a proprietary library without arranging appropriate licensing.
However, G has granted a licence to use the program to X. The onus is on G to make sure they are not releasing things they don't want to release. I don't really see any grounds for G to revoke X's licence, and in particular saying "we didn't mean to licence that" is pretty lame. So whatever happens to D, everybody else in the world can happily get a copy of the code and use it.
Obviously the sensible thing for D to do to avoid this is to clearly educate their programmers, and to put up walls between people working on incompatibly licensed code. I don't work for IBM, but I understand that they've done both these things: people are briefed on the consequences fo the GPL, and people working on Linux are not allowed to see the AIX source code (etc.) This is not a complete protection, but it should be pretty close.
Would D be liable if one of their programmers had done a bad thing despite clear and repeated instructions not to do so? I'm not sure, but I would expect it to count in their favour in court.
I understand that this is one of the reasons why HP and IBM are *not* going to release their own Linux distributions: they don't want to take the legal risk of licensing all that code without having time to review it. (Other reasons include not wanting the bad PR of squishing other distributions...)
In any case, SCO publishing all this FUD without identifying the particular sections which are supposed to infringe is ridiculous. Even if they don't want to release their code, publishing the name of the program (or subsystem) that is supposed to infringe would allow a quick determination.
The idea behind making the industry more regulated is that the girl would only sign a contract (and hence allow pics) if it allowed her to later remove the pics from circulation, say after a minimum period of five years or so.
It's an interesting thought experiment. But of course this is a good example of where DRM breaks down: the protected content is widely distributed, there is a high motivation to break it (because everybody loves to see famous people naked), and breaking just one file causes a lot of "damage". Just one Jenna Bush facial shot would be front-page news.:-)
What are the odds that, for the rest of the model's life, nobody will e.g. take a photo of the screen, or run the viewer under a virtual machine, etc?
Anyhow, just the knowledge that somebody had posed naked (even if no photos existed) would affect their reputation in a way some people would like to avoid.
If you could get 3 times more girls modeling through DRM, that could really boost the industry's growth.
I wouldn't be surprised if technology has in fact tripled the number of girls posing naked: digital cameras and internet access make it easy for people to do it at home, either strictly as amateurs or as semi-professional outfits. More people will agree to their partner snapping some shots than would ever go to a seedy studio.
This is an old and boring fallacy: commercial != proprietary != well-supported.
Buy a support contract from HP, and they'll answer your questions regardless of whether you're using Linux, Windows, or HP-UX.
If you're spending enough money to get Microsoft to jump when you call, then I suspect you'll get pretty damn good service from anyone else.
Being commercial isn't a guarantee of good support anyhow. What happens when the vendor drops the product or goes broke? Your good experience with Microsoft is stacked up against fifty other people who were stuck on the phone to a monkey for hours.
The Christian religion is a parody on the worship of the Sun, in which they put a man whom they call Christ, in the place of the Sun, and pay him the same adoration which was originally paid to the Sun.
But it's not necessarily a misspelling of "Postgres". There is a relational DB called Progress, and it's actually rather nice. In particular the integration between the scripting language and the database is very clever indeed.
It's a shame that they didn't manage to catch the internet wave more fully, by being more open, and adding cgi support, and porting to Linux. I remember trying to run the damn SCO binary under iBCS2 years ago.
He figured that if one soldier with a machine gun could do the work of 10 soldiers with rifles, that less men would have to go to war, therefore less would die
I wonder how many actual coalition infantry troops there are in Iraq? I've heard that the US Army has about 10 back-end support troops for every many in the field, which would indicate about 20,000 infantrymen actually fighting, plus a couple of hundred thousand doing diverse supporting work. In what other era could you capture such a large country with so few men?
This is not to say the back-end troops are not at risk, or that civilians or conscripts don't get killed, but nevertheless perhaps technology makes war more intense and localized.
You're argument seems to be based on the idea that no one but Microsoft can fix bugs, but this is only rarely true..
Interesting point. I suppose to be pedantic any bug can be fixed by hacking away at NT with a hex editor if all else fails. Or as you say, you could potentially program a NDS to see the attack, if it has a characteristic signature. Of course a large number of users will not apply random third-party fixes (and how could they trust them anyhow?) It would certainly breach their Microsoft contracts.
If it is a case where a patch can't be applied, a simple filter could drop the packet before it has a chance to do any harm.
It is not always possible to detect or filter attacks at that level.
Ah well, if Microsoft ever fix the bug then it will all come out, along with the email audit trail showing they sat on it for weeks, months, or years. Perhaps that will make your customers feel better.
bear in mind that there are also professionals among the slashdot crowd, who don't like knowing that they are open and vulnerable in any capacity and are impotent to do anything about it.
Well, you are. I hope you're enjoying your Windows experience.:-/
We can start the procedures of protection and patching immediately as well.
No, you cannot. There is no patch from Microsoft, and you can hardly write one yourself without access to the source. I suppose perhaps it might help you decide to just shut down all your NT servers.
The situation is different for open source software where (at least in theory) people can fix things themselves.
Microsoft would be forced to resolve the issue.
This is true, but I agree with Jeremy that it is not ethical to cause damage to systems as a way to force Microsoft to fix bugs.
I would say at the very least, people could needlessly become victims, with huge losses.
I'm sorry but I just don't follow your argument here. Microsoft put the bug in, and only Microsoft can issue a patch.
There is nothing the Samba team or anybody else can do to fix NT bugs. (You can *partially* reduce your exposure by using firewalls and other mechanisms, but presumably you're doing that already.) Only Microsoft can actually fix the problem.
It is not within the Samba team's power to prevent the emergence of the worm. Their only decision is whether to release the information now and guarantee that it will be used in attacks, or to hold onto and hope that Microsoft release a fix before it's exploited. Obviously the second is better.
I didn't ask for him to write me an exploit, I asked for him to attack my box so I could capture the packet and formulate a defense for myself and others.
Unfortunately for many vulnerabilities seeing a trace of the attack tells you all you need to know -- this is just how DigitalDefense worked out the problem in Samba.
Jeremy broke the rules by letting people know it's there, when there is no fix.
What rule is he breaking? He's telling people as much as he can, without actually helping people to write an exploit. Surely that's what you want?
It is only a matter of time before a vulnerability is exploited. The clock is ticking down to when this issue hits the script kiddy irc channels.
True. At least, unlike DigitalDefense, the Samba team isn't putting a loaded weapon into every teenage moron's hands. Personally I recommend you deinstall Windows.
You need to read the Schneier/Shostack/etc analysis of threat windows.
A worm can only exploit a vulnerability when it becomes known to an unethical and motivated person. Releasing the details of a problem would make that happen immediately.
We can't be sure, but it seems fairly clear that not many people know of this problem, or otherwise we would see it being exploited. I suppose it's possible that a few elite crackers know of this bug and just aren't saying, but they probably know of lots of others too.
Not releasing the details defers the emergence of that worm until somebody independently discovers the problem. At the very least, we have gained some time. At best, some people who are currently vulnerable may be saved altogether, because they might: ugrade to a hypothetical future release of Windows which is not vulnerable; finally get a patch from Microsoft; switch to Linux; etc etc.
A possible, future problem is clearly better than a certain, immediate problem of the same magnitude.
In the meantime people using Microsoft servers might like to ponder the fact that last week, mails to security@microsoft.com *bounced* outright! For a long time before that they were apparently ignored. It shows how much they care.
Nobody on slashdot has a bonafide need to see the example code; everybody is asking either out of idle curiousity or a desire to randomly damage other people's machines.
Upgrades should be cryptographically signed; this should prevent anyone releasing bogus packages. All releases from the Samba team are signed with GPG.
Of course this does introduce another potential problem: if somebody steals the signing key they they can forge releases, at least until the revocation is published. But that key is kept fairly secure, and such an attack has (as far as I know) not happened yet to any open source project.
People cheering Linux and booing Microsoft is just like football teams -- people rally for whoever they feel emotionally attached to. It's all part of the fun.
Heh, send exploit code to some random troll at a Hotmail account, who promises to use his special influence to get Microsoft to fix the bug? I suppose you have billg's private phone number?
Pull the other one.:-)
These bugs have been sent to security@microsoft.com, with no response. Why should sending them to you be any more effective?
Disclosing bugs is only useful if there is a fix, or if they're being exploited in the wild. Some of the bugs known by the Samba team are apparently not being exploited, and Microsoft has no apparent interest in fixing them. So revealing them to random trolls would only hurt people with Microsoft servers.
Arguably it would help people decide not to use MS products, but if the flood of Outlook and Windows worms hasn't done that then I don't know what will. Presumably people like being reamed^W^Wthe products so much that their lack of security is not a consideration.
Slashdot Mirror
Dude, he said "assuming they have authority to do so." If you take computers home from the office and you're authorized by management to do so then is it OK? Yes, of course it is.
One tiny thing I've always wondered about is whether Microsoft people use diffs to the same extent as open source people. In that kind of build-fix model I'd be inclined as a developer to pass around a patch that I thought fixed the problem. But there doesn't seem to be the same awareness of patch/diff as tools.
Are they still using Perforce, or something more tricky? 5000 developers is a hell of a SCM problem.
Imagine testing an Xwindows application to configure networking while the kernel is changing, the networking core is changing, Xwindows is changing, the shell is changing, the compiler is changing, your application is changing, and the tools you use to test with are changing. It is a challenging job.
I want to say "don't do that then"...
Allows for multiple independent subsystem operation (e.g. Win32 and OS2/1.0 and POSIX); significantly more advanced than (e.g.) Linux and BSD.
This is a complete furphy. Have you ever heard of anyone actually using the POSIX or OS/2 subsystems of NT? I certainly haven't. The fact that the APIs are intentionally crippled might have something to do with -- there's not even any networking support under POSIX. They were put there merely to satisfy the "POSIX compliant" checkbox.
With Linux anyone can implement a new process personality, and this has been used to support Solaris binaries on linux-sparc or SCO (heh) binaries on linux-x86. There is genuine and practical support for providing multiple APIs.
NT has the classic microkernel problem of being incredibly flexible and tidy in theory, but messy and limited in practice.
Um, that's what he was saying: holding program managers accountable for shipped bugs won't stop bugs shipping, but it might make them think twice.
(Though you might hope they'd think twice about it just out of professional pride... but I think at MS the need to crush the opposition has overwhelmed consideration of quality.)
Of course you're right. I thought "patent" and for some reason typed "copyright".
End users cannot be held accountable because they bought a product that included someone elses copyrighted code.
That seems right to me, but I wonder. A lot of SCO's FUD against Linux users relies on the idea that customers may be liable. Their letter says:
[...] Linux distributors do not warrant the legal integrity of the Linux code provided to customers. Therefore legal liability that may arise from the Linux development process may also rest with the end user.
Since proprietary licences generally disclaim liability too one would expect their customers to be in the same position -- at least if it is possible to disclaim liability for this.
Microsoft has been convicted of copyright infringement before
I wonder how many cases have been settled before going to trial, or went to court without a conviction. Just from the sheer number of programs they've released I would think it must have happened a few times.
The other thing I find bizarre about SCO's letter is their contention that proprietary groups do more to prevent copying. In nearly a decade in commercial software I've never seen or even heard of a development organization that does anything more to prevent plagiarism of code than the Linux team do. And that is: if a programmer suddenly comes up with heaps of code that looks a bit different, people wonder where they got it from. I don't really see how any organization can do any more than that -- well, and hiring ethical programmers. Proving that a particular line was never written before is pretty impossible.
Could this have been avoided using Microsoft? No, and it's important to make sure people remember that.
Customers of Microsoft were exposed to lawsuits when Microsoft breached Timeline's copyright with code in SQL server.
I don't see any Linux customers having their business disrupted and confidential information disturbed by an SPA raid, driven by a rumour from a disgruntled ex-employee. That happens to Microsoft customers regularly.
It sounds like the worst of both worlds to me -- it's not free (speech or beer) but it also doesn't have the broad support of Windows or Mac OS. Sheesh.
I'm sure this will appeal to some people who like installing new OSs for the heck of it, but why not try some of the interesting free ones first?
That's right. For example, you apparently can't do networking from inside their POSIX subsystem -- and how useful is a Unix installation without even localhost networking?
The book "Undocumented NT" (by three Indian dudes whose names I forget) has a fascinating dissection and explanation of this. Microsoft very cleverly made themselves strictly compliant with POSIX, while making sure that nobody would ever want to use it. But they also left open to themselves, through undocumented APIs, the option of later making the subsystem practically useful. So if it had turned out that POSIX was popular and their plan to move everyone to Win32 failed, then they'd be able to fall back to that, and no doubt embrace-extend-extinguish POSIX. Evil, but kind of clever.
Let's further assume that Company E released the product to User X under the GPL, before realizing that it included code they didn't mean to release.
There are really two issues here: is company D's behaviour tortious? And is X still allowed to use the product under the GPL?
Clearly, D is in trouble, and they had better make damn sure they educate and control their programmers better in future. Their problems are not really particular to the GPL. D would have a similar problem if a programmer copied in a proprietary library without arranging appropriate licensing.
However, G has granted a licence to use the program to X. The onus is on G to make sure they are not releasing things they don't want to release. I don't really see any grounds for G to revoke X's licence, and in particular saying "we didn't mean to licence that" is pretty lame. So whatever happens to D, everybody else in the world can happily get a copy of the code and use it.
Obviously the sensible thing for D to do to avoid this is to clearly educate their programmers, and to put up walls between people working on incompatibly licensed code. I don't work for IBM, but I understand that they've done both these things: people are briefed on the consequences fo the GPL, and people working on Linux are not allowed to see the AIX source code (etc.) This is not a complete protection, but it should be pretty close.
Would D be liable if one of their programmers had done a bad thing despite clear and repeated instructions not to do so? I'm not sure, but I would expect it to count in their favour in court.
I understand that this is one of the reasons why HP and IBM are *not* going to release their own Linux distributions: they don't want to take the legal risk of licensing all that code without having time to review it. (Other reasons include not wanting the bad PR of squishing other distributions...)
In any case, SCO publishing all this FUD without identifying the particular sections which are supposed to infringe is ridiculous. Even if they don't want to release their code, publishing the name of the program (or subsystem) that is supposed to infringe would allow a quick determination.
The idea behind making the industry more regulated is that the girl would only sign a contract (and hence allow pics) if it allowed her to later remove the pics from circulation, say after a minimum period of five years or so.
:-)
It's an interesting thought experiment. But of course this is a good example of where DRM breaks down: the protected content is widely distributed, there is a high motivation to break it (because everybody loves to see famous people naked), and breaking just one file causes a lot of "damage". Just one Jenna Bush facial shot would be front-page news.
What are the odds that, for the rest of the model's life, nobody will e.g. take a photo of the screen, or run the viewer under a virtual machine, etc?
Anyhow, just the knowledge that somebody had posed naked (even if no photos existed) would affect their reputation in a way some people would like to avoid.
If you could get 3 times more girls modeling through DRM, that could really boost the industry's growth.
I wouldn't be surprised if technology has in fact tripled the number of girls posing naked: digital cameras and internet access make it easy for people to do it at home, either strictly as amateurs or as semi-professional outfits. More people will agree to their partner snapping some shots than would ever go to a seedy studio.
This is an old and boring fallacy: commercial != proprietary != well-supported.
Buy a support contract from HP, and they'll answer your questions regardless of whether you're using Linux, Windows, or HP-UX.
If you're spending enough money to get Microsoft to jump when you call, then I suspect you'll get pretty damn good service from anyone else.
Being commercial isn't a guarantee of good support anyhow. What happens when the vendor drops the product or goes broke? Your good experience with Microsoft is stacked up against fifty other people who were stuck on the phone to a monkey for hours.
How can the parent be +5 informative when the poster is clearly making it up?
let's imagine it has a concept of transactions.
1 - ext3 doesn't expose a transaction interface
2 - CIFS doesn't need it
3 - Let's imagine moderators are on crack
Nice image.
But it's not necessarily a misspelling of "Postgres". There is a relational DB called Progress, and it's actually rather nice. In particular the integration between the scripting language and the database is very clever indeed.
It's a shame that they didn't manage to catch the internet wave more fully, by being more open, and adding cgi support, and porting to Linux. I remember trying to run the damn SCO binary under iBCS2 years ago.
He figured that if one soldier with a machine gun could do the work of 10 soldiers with rifles, that less men would have to go to war, therefore less would die
I wonder how many actual coalition infantry troops there are in Iraq? I've heard that the US Army has about 10 back-end support troops for every many in the field, which would indicate about 20,000 infantrymen actually fighting, plus a couple of hundred thousand doing diverse supporting work. In what other era could you capture such a large country with so few men?
This is not to say the back-end troops are not at risk, or that civilians or conscripts don't get killed, but nevertheless perhaps technology makes war more intense and localized.
You're argument seems to be based on the idea that no one but Microsoft can fix bugs, but this is only rarely true..
Interesting point. I suppose to be pedantic any bug can be fixed by hacking away at NT with a hex editor if all else fails. Or as you say, you could potentially program a NDS to see the attack, if it has a characteristic signature. Of course a large number of users will not apply random third-party fixes (and how could they trust them anyhow?) It would certainly breach their Microsoft contracts.
If it is a case where a patch can't be applied, a simple filter could drop the packet before it has a chance to do any harm.
It is not always possible to detect or filter attacks at that level.
Ah well, if Microsoft ever fix the bug then it will all come out, along with the email audit trail showing they sat on it for weeks, months, or years. Perhaps that will make your customers feel better.
Nice talking to you.
bear in mind that there are also professionals among the slashdot crowd, who don't like knowing that they are open and vulnerable in any capacity and are impotent to do anything about it.
:-/
Well, you are. I hope you're enjoying your Windows experience.
We can start the procedures of protection and patching immediately as well.
No, you cannot. There is no patch from Microsoft, and you can hardly write one yourself without access to the source. I suppose perhaps it might help you decide to just shut down all your NT servers.
The situation is different for open source software where (at least in theory) people can fix things themselves.
Microsoft would be forced to resolve the issue.
This is true, but I agree with Jeremy that it is not ethical to cause damage to systems as a way to force Microsoft to fix bugs.
I would say at the very least, people could needlessly become victims, with huge losses.
I'm sorry but I just don't follow your argument here. Microsoft put the bug in, and only Microsoft can issue a patch.
There is nothing the Samba team or anybody else can do to fix NT bugs. (You can *partially* reduce your exposure by using firewalls and other mechanisms, but presumably you're doing that already.) Only Microsoft can actually fix the problem.
It is not within the Samba team's power to prevent the emergence of the worm. Their only decision is whether to release the information now and guarantee that it will be used in attacks, or to hold onto and hope that Microsoft release a fix before it's exploited. Obviously the second is better.
I didn't ask for him to write me an exploit, I asked for him to attack my box so I could capture the packet and formulate a defense for myself and others.
Unfortunately for many vulnerabilities seeing a trace of the attack tells you all you need to know -- this is just how DigitalDefense worked out the problem in Samba.
Jeremy broke the rules by letting people know it's there, when there is no fix.
What rule is he breaking? He's telling people as much as he can, without actually helping people to write an exploit. Surely that's what you want?
It is only a matter of time before a vulnerability is exploited. The clock is ticking down to when this issue hits the script kiddy irc channels.
True. At least, unlike DigitalDefense, the Samba team isn't putting a loaded weapon into every teenage moron's hands. Personally I recommend you deinstall Windows.
You need to read the Schneier/Shostack/etc analysis of threat windows.
A worm can only exploit a vulnerability when it becomes known to an unethical and motivated person. Releasing the details of a problem would make that happen immediately.
We can't be sure, but it seems fairly clear that not many people know of this problem, or otherwise we would see it being exploited. I suppose it's possible that a few elite crackers know of this bug and just aren't saying, but they probably know of lots of others too.
Not releasing the details defers the emergence of that worm until somebody independently discovers the problem. At the very least, we have gained some time. At best, some people who are currently vulnerable may be saved altogether, because they might: ugrade to a hypothetical future release of Windows which is not vulnerable; finally get a patch from Microsoft; switch to Linux; etc etc.
A possible, future problem is clearly better than a certain, immediate problem of the same magnitude.
In the meantime people using Microsoft servers might like to ponder the fact that last week, mails to security@microsoft.com *bounced* outright! For a long time before that they were apparently ignored. It shows how much they care.
Nobody on slashdot has a bonafide need to see the example code; everybody is asking either out of idle curiousity or a desire to randomly damage other people's machines.
Um, no. That would disclose the mechanism of the attack, allowing people to write worms that use it to destroy many Windows servers.
Entertaining as that idea may be, it would not be very responsible to actually do it.
Solved problem, dude.
Upgrades should be cryptographically signed; this should prevent anyone releasing bogus packages. All releases from the Samba team are signed with GPG.
Of course this does introduce another potential problem: if somebody steals the signing key they they can forge releases, at least until the revocation is published. But that key is kept fairly secure, and such an attack has (as far as I know) not happened yet to any open source project.
Dude, you need distcc.
What part of "WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED" don't you understand?
---
Don't use so many caps.Don't use so many caps.Don't use so many caps.
People cheering Linux and booing Microsoft is just like football teams -- people rally for whoever they feel emotionally attached to. It's all part of the fun.
Heh, send exploit code to some random troll at a Hotmail account, who promises to use his special influence to get Microsoft to fix the bug? I suppose you have billg's private phone number?
:-)
Pull the other one.
These bugs have been sent to security@microsoft.com, with no response. Why should sending them to you be any more effective?
Disclosing bugs is only useful if there is a fix, or if they're being exploited in the wild. Some of the bugs known by the Samba team are apparently not being exploited, and Microsoft has no apparent interest in fixing them. So revealing them to random trolls would only hurt people with Microsoft servers.
Arguably it would help people decide not to use MS products, but if the flood of Outlook and Windows worms hasn't done that then I don't know what will. Presumably people like being reamed^W^Wthe products so much that their lack of security is not a consideration.