Check out this little snippet (the whole message [lwn.net] can be found on lwn.net) from an email from Theo:
We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny).
Please do publish that letter, Theo. That would be very interesting.
FWIW, I agree with the comment made by The_Noid on the same lwn page [lwn.net] I previously mentioned about how the manner in which Theo handled this was very appropriate:
If the details to this vulnerability would have been released (even with patches) just about every Linux box on the planet would have been cracked before the owners would've had time to install the patch. Publishing a fix to this problem will only tell the cracker exactly where the problem is.
So they first work around the bug, without actually fixing the bug and telling what is it and where it is, so crackers can't make an exploit before people are immune (and I repeat, a direct fix would exactly tell the cracker what the bug is.)
A bug like this is what every cracker is dreaming of, a way into just about every unix machine on the planet!
If the details to this vulnerability would have been released (even with patches) just about every Linux box on the planet would have been cracked before the owners would've had time to install the patch. Publishing a fix to this problem will only tell the cracker exactly where the problem is.
Nice story, but most GNU/Linux systems weren't affected by this bug at all. Unfortunately, we now know that privilege separation didn't help much because of BSD kernel bug.
Alan Cox was calling Theo to task because he didn't like how Theo concealed the exact security problem until a workaround was given out. This is an attitude some developers have. It's not the best attitue from a customer/end-user standpoint, but some people who write code and give it for free use still don't understand it. Alanx Cox sounds like, despite him being a valuable asset to the community, he does not understand this.
If he'd have said, "for all we know, OpenBSD could attract near-earth bodies" would you post this comment as "eerily prescient" on the recent asteroid stories? Sometimes things just aren't related. Despite what Mulder may think.
The only person using the word "eerily" is you. By Theo's own admission, Alan wrote him an email indicating that some people don't trust him. That's very different from what you state - that he simply didn't like the way Theo was handling things.
Whether or not Alan overstated his case is subject to debate. But what Theo said Alan told him is not. That is why having the complete text of Alan's email would be interesting. Or would you rather argue your position from a position of ignorance?
Without having read the letter, or any of the rest of the discussion between them, it's quite clear that Theo and Alan were having a bit of an argument. Alan overstepped the bounds of civility, but we don't really know what kind of provocation he was subjected to. And Theo doesn't exactly have the reputation as inspiring mild mannered discussions.
Also, Alan didn't decide that this needed to be dragged out into public, and Theo did. So it is up to Theo to prove that he was justified.
And all of this is totally unrelated to the current problem. I.e., how to let everyone who updated the code with the wrong version be warned that they need to update it again.
Prescient Alan Cox / Theo exchange (Score:5, Interesting)
We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny).
Please do publish that letter, Theo. That would be very interesting.
PU
Re:Prescient Alan Cox / Theo exchange (Score:2)
Re:Prescient Alan Cox / Theo exchange (Score:2)
If the details to this vulnerability would have been released (even with patches) just about every Linux box on the planet would have been cracked before the owners would've had time to install the patch. Publishing a fix to this problem will only tell the cracker exactly where the problem is.
So they first work around the bug, without actually fixing the bug and telling what is it and where it is, so crackers can't make an exploit before people are immune (and I repeat, a direct fix would exactly tell the cracker what the bug is.)
A bug like this is what every cracker is dreaming of, a way into just about every unix machine on the planet!
This whole episode is very bizarre.
Re:Prescient Alan Cox / Theo exchange (Score:2)
Nice story, but most GNU/Linux systems weren't affected by this bug at all. Unfortunately, we now know that privilege separation didn't help much because of BSD kernel bug.
Re:Prescient Alan Cox / Theo exchange (Score:1)
Trolling for karma, eh? (Score:4, Insightful)
If he'd have said, "for all we know, OpenBSD could attract near-earth bodies" would you post this comment as "eerily prescient" on the recent asteroid stories? Sometimes things just aren't related. Despite what Mulder may think.
Re:Trolling for karma, eh? (Score:2)
Whether or not Alan overstated his case is subject to debate. But what Theo said Alan told him is not. That is why having the complete text of Alan's email would be interesting. Or would you rather argue your position from a position of ignorance?
Re:Trolling for karma, eh? (Score:2)
Also, Alan didn't decide that this needed to be dragged out into public, and Theo did. So it is up to Theo to prove that he was justified.
And all of this is totally unrelated to the current problem. I.e., how to let everyone who updated the code with the wrong version be warned that they need to update it again.