Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] remote

Matt Doughty wrote:
> On Thu, Jun 27, 2002 at 06:48:14PM +0900, B0Ti wrote:
>>Well, the latest openssh (3.4) is said to be safe, but you never now what's next.
>>Yesterday we had a Theo Bug, tomorrow we might have a Tatu Bug. Open had only one
>>remote hole in six years, afaik Tatu's had more.
> Open what? OpenSSH hasn't been around 6 years more like 2-3.

Yeah, I think he meant OpenBSOD.

> As for that ridiculous claim about the default install. Dude they basically turn
> off all services in the default install [...]

I will not argue that Open has its shortcomings, but I *like* the way a 
default install is carried out. When *I* do a Redhat install, for 
instance, the first thing I do (before even plugging eth0 in, thank you) 
is hunting down and disabling or uninstalling all the crap that runs by 
default. I would rather, a la OpenBSD or Gentoo (there are others, these 
are just the two I am most familiar with), add just what I need and not 
have to worry that I missed something.

> and then say "no remote exploit in blablabla".  Their record isn't
> any better than just about anybody elses.

This is debatable. The OpenBSD team in general and Theo in particular 
*have* done a lot for the Open Source community. Their code audits have 
turned up quite a few things that people have been able to fix proactively.

The catch is, of course, that Theo has brought quite a bit of 'tude 
along with him. And we are not talking about the reasonable, 
constructive type of attitude.[1] We are talking about plain nastiness 
and general antisocial behaviour. Read the archive of the mails that 
flew back and forth between Theo and NetBSD core right after Theo got 
the boot from core and got his CVS access revoked.[2] I did, and even 
presented from Theo's point of view, he comes away looking bad.

> No you have to go through the trouble of downloading a tarball, and compiling it.
> Life is difficult.  As is I have had to upgrade my boxes once in the last year, and
> the bug wasn't even exploitable on my boxen I just did it because it only took 
> like 15 minutes.

Which SSH do you use? I am trying to get away from OpenSSH on my stuff. 
Just too scary recently!

[1] (but check this 
out, as well, courtesy of Google:

Josh Glover <>

Associate Systems Administrator

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links