Re: Nomination question: Redhat
On Sun, Dec 13, 1998 at 05:12:22PM +0000, James Troup wrote:
> > I am not aware of the problem with fte other than that I recall seeing
> > one and seeing a fix happen. The programs which were and should not have
> > been suid included system config utilities on at least two occasions
> > which is half of them that I know of (I know of 4 individual instances)
> You're still missing the point. The stuff on Redhat was not
> immediately exploitable, it just could have been; fte being suid meant
> any user could alter any file (e.g. /etc/passwd) just by running the
> editor. You're also continuing to ignore how many SUID binaries we
> have, and how few of them have been glanced at, never mind audited.
I've already said that I was not generally aware of the details of this
problem, only that it had been found and fixed. Yes it was a problem and
a serious problem.
Most Linux dists don't have dedicated people auditing code. If Redhat
does, good for them. I still think Redhat is too eager to release things
without proper testing. Redhat 5.0 was a nightmare, as was 4.0--the rule
from the dos/win world was never trust a .0 release because there are
going to be serious rough spots and bugs that should never have been
released. Redhat seems to be an example of that in the Linux world and
frankly it concerns me. That these problems have shown up in their last
two releases within two or three days of release, something tells me they
should have waited a few days before release until their testing was
complete. Or if the reports came from others (as at least one of them
did) maybe it indicates they need a more open development process
allowing people more chance to try what they are currently working on and
fix bugs before it ships?
> > > In general Redhat respond faster than us to most security incidents
> > > and Redhat have Alan Cox auditing code. We don't.
> > Dear me! What ever are we going to do without a kernel hacker?
> You fail, once again, to even vaguely grasp the point. Auditing is a
> _good_ thing, whether it's done by one ``kernel hacker'' or a team of
> people (OpenBSD). We don't do it; Redhat does. And, BTW,m dismissing
> Alan Cox as nothing more than ``a kernel hacker'' is the most crass
> thing I've ever seen you do.
I'm not about to bow down and worship Alan Cox, Linus Torvalds, Eric
Raymond, Richard Stallman, Bruce Perens, the Pope, you, my neighbors, or
anyone else for that matter. The way your argument looks to me is "they
have Alan Cox and we don't so they must have a better security tean." So
they have Alan Cox working for them, I don't consider this a big deal.
As for Alan being more than a kernel hacker, what more is he? What makes
him so special that the distribution that hired him is so much better
than everyone else? He can code? A lot of people can code.
"Shall we play a game?" -- WOPR