[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPFilter

On 17 Apr 2001, at 16:52, jan_(_at_)_hundert6_(_dot_)_de wrote:

> > Otoh if OpenBSD is billed as being a secure OS with a quick reaction
> > time to 
> > vulnerabilities a patch (as with the other problems such as FTP and
> > NTP 
> > lately) would be in order. What's the use of following the stable
> > branch if 
> > problems like this have to be fixed separately?
> Simple. 
> You keep track of all the effort that is currently being made and the
> results at any given moment. This doesn't automatically mean you get
> patches for everything that appears to have flaws.

I think all of us who use OpenBSD are EXTREMELY grateful for the work 
the OpenBSD team puts in, and astonished at what they do for us.  
Certainly we all understand that this wonderful work needs to be 
prioritized.  I take the postings in this thread as a plea that ipf 
is very important to a lot of people, and we are requesting that the 
priority for this patch be boosted.

There are some odd paradoxes at work here.

1.  There is a double-standard in this group.  On the one hand, users 
are expected to update systems "by the book" (e.g. FAQ.)  Now we're 
expected to go outside the book and use somebody else's book?  ("You 
did *WHAT* to your system?  Then don't expect help from *US*! ...")  
The FAQ explains how the community expects systems to be updated.  We 
can't have it both ways.  Either we accept that systems will be 
updated by the FAQ or not.  If we expect it will be done by the FAQ, 
then if the code needed to update is not in the CVS repository, 
that's a problem.  

2.  Anyone who reads the blizzard of security announcements in the 
Linux world has *GOT* to be eternally grateful to Theo and the crew 
for freeing us from what I call the Culture of Emergency.  In the 
Linux world, everyone lives by *nothing but* the culture of 
emergency, because that's the only mechanism they have.  While the 
code audits in the OpenBSD world have given us an amazing amount of 
freedom from the Culture of Emergency, I can't imagine that anyone 
believes the OpenBSD team is perfect.  Some day there will be an 
emergency.  It would be very paradoxical indeed if the current 
amazing success at liberating us from the Culture of Emergency 
renders us less able to cope with a real emergency.

The closed source world likes to sneer at the open source world 
because -- they claim (*FALSELY* IMHO!) -- that no one in the open 
source world will accept accountability.  I, for one, am quite 
pleased at the accountability taken by the OpenBSD team.  Compared to 
what you have to do to secure a Linux out-of-the-box installation it 
is like a form of heaven.  I'm sure the current IP Filter will make 
it into the CVS repository "soon".  But I don't see anything wrong 
with using this group to speak up for what one would like to see 
"really soon".  This kind of give-and-take between users and 
developers is healthy, as long as those of us on the user side are 

#include <disclaimer.h>
Jim Rosenberg
Ross Mould
259 S. College St.
Washington, PA  15301
(724) 222-7006 x 189
E-mail: jrosenberg_(_at_)_rossint_(_dot_)_net