[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gpsd-dev] Moving ntpd to an open VCS
From: |
Harlan Stenn |
Subject: |
Re: [gpsd-dev] Moving ntpd to an open VCS |
Date: |
Wed, 23 Oct 2013 22:19:03 +0000 |
Gerry Creager - NOAA Affiliate writes:
> I've been casually installing ntpd to all my systems for years. It's core
> infrastructure stuff. It IS casually installed.
I agree with you - I was being more casual still! I meant that folks
either get it with the OS or decide they need it and install it. Folks
generally don't just decide to install it for no reason.
> And, for what it's worth, I found the comment humorous and hardly myopic.
I was guilty of the same thing I accused Gary of, I focused on a small
part. Yes, the privacy invasions are corrosive and pernicious, and from
a limited perspective his comment was sadly humorous.
I just wanted to be sure folks were aware of the larger picture, which
includes other than sniffing or cracking, and can include significant
financial and even life-threatening situations, in both individual and
societal scales.
H
--
> On Wed, Oct 23, 2013 at 2:58 PM, Harlan Stenn <address@hidden> wrote:
>
> > "Gary E. Miller" writes:
> >
> > > On Wed, 23 Oct 2013 07:38:35 +0000
> > > Harlan Stenn <address@hidden> wrote:
> > >
> > > > > security patches private is not generally accepted by the
> > > > > open-source community. I'm not going to argue the merits here
> > > > > because my personal views are not very relevant; what matters is
> > > > > the social fact that most open source developers are fans of prompt
> > > > > full disclosure, or at most a very short timeout. The minority that
> > > > > partially agrees with you will not save you on any of these other
> > > > > issues.
> > > >
> > > > ...
> > > > be, depending on the definition of "prompt". The NTP Project's
> > > > software is core infrastructure stuff. It's not something people
> > > > generally casually install. If we get a security report, we contact
> > > > folks like CERT and they get back to us and usually ask for at least
> > > > a 45 day disclosure embargo after we get them patches so the OS
> > > > vendors and various gov't agencies can prepare for the "announcement"=
> .
> > >
> > > Yes, you really need to give the NSA a chance to exploit your bugs befo=
> re
> > > anyone can patch them.
> >
> > Are you joking?
> >
> > If not, please consider some other possibilities where that is a myopic
> > and half-baked response, borderline pernicious, and paints you in an ill
> > light.
> >
> > H
> >
> >
>
>
> --=20
> Gerry Creager
> NSSL/CIMMS
> 405.325.6371
> ++++++++++++++++++++++
> =93Big whorls have little whorls,
> That feed on their velocity;
> And little whorls have lesser whorls,
> And so on to viscosity.=94
> Lewis Fry Richardson (1881-1953)
>
> --e89a8ff1ce02653e7004e96e4192
> Content-Type: text/html; charset=windows-1252
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr">I've been casually installing ntpd to all my systems f=
> or years. It's core infrastructure stuff. It IS casually installed.=A0<=
> div><br></div><div>And, for what it's worth, I found the comment humoro=
> us and hardly myopic.</div>
> <div><br></div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
> _quote">On Wed, Oct 23, 2013 at 2:58 PM, Harlan Stenn <span dir=3D"ltr"><=
> ;<a href=3D"mailto:address@hidden" target=3D"_blank">address@hidden</a>></=
> span> wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex"><div class=3D"im">"Gary E. Miller"=
> writes:<br>
> <br>
> > On Wed, 23 Oct 2013 07:38:35 +0000<br>
> > Harlan Stenn <<a href=3D"mailto:address@hidden">address@hidden</a>>=
> ; wrote:<br>
> ><br>
> > > > security patches private is not generally accepted by the<br=
> >
> > > > open-source community. =A0I'm not going to argue the mer=
> its here<br>
> > > > because my personal views are not very relevant; what matter=
> s is<br>
> > > > the social fact that most open source developers are fans of=
> prompt<br>
> > > > full disclosure, or at most a very short timeout. The minori=
> ty that<br>
> > > > partially agrees with you will not save you on any of these =
> other<br>
> > > > issues.<br>
> > ><br>
> </div>> > ...<br>
> <div class=3D"im">> > be, depending on the definition of "prompt=
> ". =A0The NTP Project's<br>
> > > software is core infrastructure stuff. =A0It's not something =
> people<br>
> > > generally casually install. =A0If we get a security report, we co=
> ntact<br>
> > > folks like CERT and they get back to us and usually ask for at le=
> ast<br>
> > > a 45 day disclosure embargo after we get them patches so the OS<b=
> r>
> > > vendors and various gov't agencies can prepare for the "=
> announcement".<br>
> ><br>
> > Yes, you really need to give the NSA a chance to exploit your bugs bef=
> ore<br>
> > anyone can patch them.<br>
> <br>
> </div>Are you joking?<br>
> <br>
> If not, please consider some other possibilities where that is a myopic<br>
> and half-baked response, borderline pernicious, and paints you in an ill<br=
> >
> light.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> H<br>
> <br>
> </font></span></blockquote></div><br><br clear=3D"all"><div><br></div>-- <b=
> r><div dir=3D"ltr">Gerry Creager<div>NSSL/CIMMS</div><div>405.325.6371</div=
> ><div>++++++++++++++++++++++</div><div><div>=93Big whorls have little whorl=
> s,</div>
> <div>That feed on their velocity;=A0</div><div>And little whorls have lesse=
> r whorls,=A0</div><div>And so on to viscosity.=94=A0</div><div>Lewis Fry Ri=
> chardson (1881-1953)</div></div></div>
> </div>
>
> --e89a8ff1ce02653e7004e96e4192--
>
- [gpsd-dev] Moving ntpd to an open VCS, (continued)
- Re: [gpsd-dev] Moving ntpd to an open VCS, Harlan Stenn, 2013/10/23
- Re: [gpsd-dev] Moving ntpd to an open VCS, Eric S. Raymond, 2013/10/23
- Re: [gpsd-dev] Moving ntpd to an open VCS, Gary E. Miller, 2013/10/23
- Re: [gpsd-dev] Moving ntpd to an open VCS, Harlan Stenn, 2013/10/23
- Re: [gpsd-dev] Moving ntpd to an open VCS, Gary E. Miller, 2013/10/23
- Re: [gpsd-dev] Moving ntpd to an open VCS, Harlan Stenn, 2013/10/23
- Re: [gpsd-dev] Moving ntpd to an open VCS, Gerry Creager - NOAA Affiliate, 2013/10/23
- Re: [gpsd-dev] Moving ntpd to an open VCS,
Harlan Stenn <=
- Re: [gpsd-dev] Moving ntpd to an open VCS, Dave Taht, 2013/10/26
- Re: [gpsd-dev] Moving ntpd to an open VCS, Gary E. Miller, 2013/10/27
- Re: [gpsd-dev] Moving ntpd to an open VCS, Hal Murray, 2013/10/27
- Re: [gpsd-dev] Moving ntpd to an open VCS, Dave Taht, 2013/10/28
- Re: [gpsd-dev] Moving ntpd to an open VCS, Gary E. Miller, 2013/10/28
- Re: [gpsd-dev] Moving ntpd to an open VCS, Hal Murray, 2013/10/28
- Re: [gpsd-dev] Moving ntpd to an open VCS, Gary E. Miller, 2013/10/28
- Re: [gpsd-dev] Moving ntpd to an open VCS, Sanjeev Gupta, 2013/10/28
- Re: [gpsd-dev] Moving ntpd to an open VCS, Gary E. Miller, 2013/10/28
- Re: [gpsd-dev] Moving ntpd to an open VCS, Greg Troxel, 2013/10/28