https://lwn.net/Articles/3322/ This is a special feed containing comments posted to the individual LWN article titled "Upcoming OpenSSH vulnerability". en-us Wed, 29 Oct 2025 08:42:09 +0000 Wed, 29 Oct 2025 08:42:09 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/3625/ https://lwn.net/Articles/3625/ DeletedUser2239 Heh,<p>Ok can't refute your statement.<p><br>I think I should have made my point by stating that<br>the motive I describe is one to go by.<br>Or I could throw in responsibility...<p>But it seems my motives are too naive for a burdend free source<br>user/developer.<p>And indeed opinionated stupidity is the basis on which theo released<br>the "preliminary" advisory and the following I might add.<p><p><p><br> Thu, 27 Jun 2002 10:58:50 +0000 https://lwn.net/Articles/3371/ https://lwn.net/Articles/3371/ DeletedUser2242 As for the statement:-<p>"Customers can judge their vendors by how they respond to this issue."<p>This is *absolutely* 100% spot-on. Suggesting otherwise has the<br>identical effect as tattooing "I am the lazy and opinionated stupid<br>idiot who prefers to argue why it's not my job to fix a problem rather<br>than just fix a problem" on your forehead.<p>Grow up kiddies. Shut up and fix it instead of wasting everyones time<br>and proving you care more for the survival of your own (dumb) opinions<br>than for the safety of everyone else. Tue, 25 Jun 2002 12:44:07 +0000 https://lwn.net/Articles/3370/ https://lwn.net/Articles/3370/ DeletedUser2242 That's the biggest crock I've ever heard.<p>"the world of free source" thrives on opinionated stupidity. Nobody<br>ever really fixes anything well, because the opinionated dickhead who<br>ends up dong the fix always decides it's "somebody elses problem", and<br>wastes shitloads more time arguing about why they should not have to<br>be the person to solve something or other than it would have taken to<br>just do as they're asked in the first place.<p>Add to that - when you look at their (usually comment-free) code, it's<br>always amazing that any fix works at all.<p> Tue, 25 Jun 2002 12:37:43 +0000 https://lwn.net/Articles/3332/ https://lwn.net/Articles/3332/ DeletedUser2239 http://docs.freebsd.org/cgi/getmsg.cgi?fetch=255989+0+current/freebsd-security<p>I don't know with what agenda the advisory was released,<br>but one can't call it an innocent one.<p>I can't refute the statement that a workaround which defuses the<br>so called hole into nothing more then an unprivilidge accoutn getting<br>compromised. Is a good in between step.<br> <br>But a real fix ready monday next week ? that's not an option. today<br>or tomorrow is.<p>Furthermore I find the statements made by theo in his release very<br>dubious.<p>"Customers can judge their vendors by how they respond to this issue."<p>Is one of them.<p>And again there seems to me to be too much old grief and sorrow in<br>the initial announcements and all reactions. <p>Sure people can differ in opinion, but when it comes to these kinds<br>of threats we "the world of free source",both users and developers, need <br>to stick together.<p><br>And "the world of free source" has thrived by sharing ideas and problems.<p> Tue, 25 Jun 2002 10:38:59 +0000 https://lwn.net/Articles/3331/ https://lwn.net/Articles/3331/ DeletedUser2238 If the details to this vulnerability would have been released (even with patches) just about every Linux box on the planet would have been cracked before the owners would've had time to install the patch. Publishing a fix to this problem will only tell the cracker exactly where the problem is.<p>So they first work around the bug, without actually fixing the bug and telling what is it and where it is, so crackers can't make an exploit before people are immune (and I repeat, a direct fix would exactly tell the cracker what the bug is.)<p>A bug like this is what every cracker is dreaming of, a way into just about every unix machine on the planet! Tue, 25 Jun 2002 10:00:42 +0000 https://lwn.net/Articles/3330/ https://lwn.net/Articles/3330/ garloff This statement from Theo really makes one wonder what's going on.<br>If a vulnerability is found in a software package, what the one who<br>discovers should do is to contact the authors of the software.<br>This apparently happened in this case. The next step for the authors<br>is to fix the problem and contact distributors. There are mailing<br>lists to coordinate these efforts. A few days later, most distributors<br>should have fixes ready and the disclosure of the vulnerability can<br>happen and all distros can send their sec announcements within a short<br>amount of time.<br>For some reason Theo seems to imply he does not want to follow this<br>procedure. Instead he wants that the distributors implement a workaround<br>beforehand. Strange way of dealing!<br>After reading about the Privilege Separation stuff it sounds like a very<br>good idea to me. After reading Theo's "I want to force it down your<br>throats" I'm not so sure any more ... Tue, 25 Jun 2002 08:33:45 +0000