Re: [gpsd-dev] Moving ntpd to an open VCS

[Harlan Stenn]

Gerry Creager - NOAA Affiliate writes:
> I've been casually installing ntpd to all my systems for years. It's core
> infrastructure stuff. It IS casually installed.

I agree with you - I was being more casual still!  I meant that folks
either get it with the OS or decide they need it and install it.  Folks
generally don't just decide to install it for no reason.

> And, for what it's worth, I found the comment humorous and hardly myopic.

I was guilty of the same thing I accused Gary of, I focused on a small
part.  Yes, the privacy invasions are corrosive and pernicious, and from
a limited perspective  his comment was sadly humorous.

I just wanted to be sure folks were aware of the larger picture, which
includes other than sniffing or cracking, and can include significant
financial and even life-threatening situations, in both individual and
societal scales.

H
--

> On Wed, Oct 23, 2013 at 2:58 PM, Harlan Stenn <address@hidden> wrote:
> 
> > "Gary E. Miller" writes:
> >
> > > On Wed, 23 Oct 2013 07:38:35 +0000
> > > Harlan Stenn <address@hidden> wrote:
> > >
> > > > > security patches private is not generally accepted by the
> > > > > open-source community.  I'm not going to argue the merits here
> > > > > because my personal views are not very relevant; what matters is
> > > > > the social fact that most open source developers are fans of prompt
> > > > > full disclosure, or at most a very short timeout. The minority that
> > > > > partially agrees with you will not save you on any of these other
> > > > > issues.
> > > >
> > > > ...
> > > > be, depending on the definition of "prompt".  The NTP Project's
> > > > software is core infrastructure stuff.  It's not something people
> > > > generally casually install.  If we get a security report, we contact
> > > > folks like CERT and they get back to us and usually ask for at least
> > > > a 45 day disclosure embargo after we get them patches so the OS
> > > > vendors and various gov't agencies can prepare for the "announcement"=
> .
> > >
> > > Yes, you really need to give the NSA a chance to exploit your bugs befo=
> re
> > > anyone can patch them.
> >
> > Are you joking?
> >
> > If not, please consider some other possibilities where that is a myopic
> > and half-baked response, borderline pernicious, and paints you in an ill
> > light.
> >
> > H
> >
> >
> 
> 
> --=20
> Gerry Creager
> NSSL/CIMMS
> 405.325.6371
> ++++++++++++++++++++++
> =93Big whorls have little whorls,
> That feed on their velocity;
> And little whorls have lesser whorls,
> And so on to viscosity.=94
> Lewis Fry Richardson (1881-1953)
> 
> --e89a8ff1ce02653e7004e96e4192
> Content-Type: text/html; charset=windows-1252
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">I&#39;ve been casually installing ntpd to all my systems f=
> or years. It&#39;s core infrastructure stuff. It IS casually installed.=A0<=
> div><br></div><div>And, for what it&#39;s worth, I found the comment humoro=
> us and hardly myopic.</div>
> <div><br></div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
> _quote">On Wed, Oct 23, 2013 at 2:58 PM, Harlan Stenn <span dir=3D"ltr">&lt=
> ;<a href=3D"mailto:address@hidden"; target=3D"_blank">address@hidden</a>&gt;</=
> span> wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex"><div class=3D"im">&quot;Gary E. Miller&quot;=
>  writes:<br>
> <br>
> &gt; On Wed, 23 Oct 2013 07:38:35 +0000<br>
> &gt; Harlan Stenn &lt;<a href=3D"mailto:address@hidden";>address@hidden</a>&gt=
> ; wrote:<br>
> &gt;<br>
> &gt; &gt; &gt; security patches private is not generally accepted by the<br=
> >
> &gt; &gt; &gt; open-source community. =A0I&#39;m not going to argue the mer=
> its here<br>
> &gt; &gt; &gt; because my personal views are not very relevant; what matter=
> s is<br>
> &gt; &gt; &gt; the social fact that most open source developers are fans of=
>  prompt<br>
> &gt; &gt; &gt; full disclosure, or at most a very short timeout. The minori=
> ty that<br>
> &gt; &gt; &gt; partially agrees with you will not save you on any of these =
> other<br>
> &gt; &gt; &gt; issues.<br>
> &gt; &gt;<br>
> </div>&gt; &gt; ...<br>
> <div class=3D"im">&gt; &gt; be, depending on the definition of &quot;prompt=
> &quot;. =A0The NTP Project&#39;s<br>
> &gt; &gt; software is core infrastructure stuff. =A0It&#39;s not something =
> people<br>
> &gt; &gt; generally casually install. =A0If we get a security report, we co=
> ntact<br>
> &gt; &gt; folks like CERT and they get back to us and usually ask for at le=
> ast<br>
> &gt; &gt; a 45 day disclosure embargo after we get them patches so the OS<b=
> r>
> &gt; &gt; vendors and various gov&#39;t agencies can prepare for the &quot;=
> announcement&quot;.<br>
> &gt;<br>
> &gt; Yes, you really need to give the NSA a chance to exploit your bugs bef=
> ore<br>
> &gt; anyone can patch them.<br>
> <br>
> </div>Are you joking?<br>
> <br>
> If not, please consider some other possibilities where that is a myopic<br>
> and half-baked response, borderline pernicious, and paints you in an ill<br=
> >
> light.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> H<br>
> <br>
> </font></span></blockquote></div><br><br clear=3D"all"><div><br></div>-- <b=
> r><div dir=3D"ltr">Gerry Creager<div>NSSL/CIMMS</div><div>405.325.6371</div=
> ><div>++++++++++++++++++++++</div><div><div>=93Big whorls have little whorl=
> s,</div>
> <div>That feed on their velocity;=A0</div><div>And little whorls have lesse=
> r whorls,=A0</div><div>And so on to viscosity.=94=A0</div><div>Lewis Fry Ri=
> chardson (1881-1953)</div></div></div>
> </div>
> 
> --e89a8ff1ce02653e7004e96e4192--
>