[ROS] The perils of security tools

[Steven M. Bellovin]

On Tue, 13 May 2008 12:10:16 -0400
"Jonathan S. Shapiro" <shap at eros-os.com> wrote:

> Ben's points are well taken, but there is one *small* piece of this
> where I have some sympathy for the Debian folks:
> 
> > What can we learn from this? Firstly, vendors should not be fixing 
> > problems (or, really, anything) in open source packages by patching
> > them locally - they should contribute their patches upstream to the
> > package maintainers.
> 
> The response times from package maintainers -- even the good ones like
> the OpenSSL team -- are not always fast enough. Sometimes, vendors
> don't have a choice. There is a catch-22 on both sides of this coin.
> 
I was going to post something similar.  I maintain several pkgsrc
packages (http://www.pkgsrc.org); while most upstream maintainers are
happy to receive bug fixes, others range from indifferent to downright
hostile.  For example, I once reported a portability bug to a
developer: POSIX standards *require* that a certain system call reject
out-of-range arguments, and NetBSD enforces that check.  The Linux
kernel (or rather, the kernel of that time; I haven't rechecked lately)
did not.  Fine -- a minor standards issue with Linux.  But the
application I was adding to pkgsrc relied on the Linux behavior and the
developer angrily rejected my fix -- the standard was "stupid", and he
saw no reason to change his code to conform.

Usually, though, indifference is a bigger problem.  The NetBSD internal
developers' mailing list has seen numerous complaints about *major*
package developers ignoring portability and correctness fixes.  If it
isn't Linux and it isn't Windows, it doesn't matter, it seems.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com