[ROS] The perils of security tools
Steven M. Bellovin
smb at cs.columbia.edu
Tue May 13 12:45:08 EDT 2008
On Tue, 13 May 2008 12:10:16 -0400
"Jonathan S. Shapiro" <shap at eros-os.com> wrote:
> Ben's points are well taken, but there is one *small* piece of this
> where I have some sympathy for the Debian folks:
>
> > What can we learn from this? Firstly, vendors should not be fixing
> > problems (or, really, anything) in open source packages by patching
> > them locally - they should contribute their patches upstream to the
> > package maintainers.
>
> The response times from package maintainers -- even the good ones like
> the OpenSSL team -- are not always fast enough. Sometimes, vendors
> don't have a choice. There is a catch-22 on both sides of this coin.
>
I was going to post something similar. I maintain several pkgsrc
packages (http://www.pkgsrc.org); while most upstream maintainers are
happy to receive bug fixes, others range from indifferent to downright
hostile. For example, I once reported a portability bug to a
developer: POSIX standards *require* that a certain system call reject
out-of-range arguments, and NetBSD enforces that check. The Linux
kernel (or rather, the kernel of that time; I haven't rechecked lately)
did not. Fine -- a minor standards issue with Linux. But the
application I was adding to pkgsrc relied on the Linux behavior and the
developer angrily rejected my fix -- the standard was "stupid", and he
saw no reason to change his code to conform.
Usually, though, indifference is a bigger problem. The NetBSD internal
developers' mailing list has seen numerous complaints about *major*
package developers ignoring portability and correctness fixes. If it
isn't Linux and it isn't Windows, it doesn't matter, it seems.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list