Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: Rhialto <>
From: Garrett D'Amore <>
List: current-users
Date: 04/10/2006 14:35:51
Rhialto wrote:
> On Mon 10 Apr 2006 at 16:34:32 -0400, David Maxwell wrote:
>> I couldn't disagree more.
>> Are you suggesting that companies shouldn't contribute to open source
>> projects because they'll then come under fire for not "giving away"
>> the way they make their business work?
> It makes it more difficult to verify what is going on. Many security
> analists argue that full disclosure of any security bugs in products is
> the best overall strategy. Do we know now if all problems that are found
> are being disclosed, or if perhaps some are witheld? I guess we can't
> check. (Yes, I tend to be paranoid)

Even so, the *public* disclosure of the bugs that they *have* disclosed
and their subsequent fixing should only, I think, be regarded as a good
thing.  Without this kind of disclosure, we might not even have *those*
bug fixes.

The conspiracy theorists might argue that there is an attempt to
increase the confidence in these systems, and that by withholding info
on certain holes, the US govt (or others) might be trying to lull folks
into believing their systems are more secure.

I consider such notions a bit far-fetched, and am thankful to Coverity
for providing what they have.  At best it sheds light on bugs that we
can fix, at worst we can just ignore them.

>> NetBSD, and all its users are benefitting from the improvements to the code
>> base that come as a result of this voluntary contribution on Coverity's part.
>> NetBSD is the open source project, our code is open.
> The code is, but you also want to know why changes are made. I
> understand there are humans in the loop, acting on reports to see if
> they are spurious or otherwise incorrect. That is very important.

Of course.  No one is suggesting that any tool be used to "automate"
code changes to NetBSD.  Certainly not a proprietary tool.

>> Coverity is a for-profit business. That they choose to give us _anything_,
>> is charity on their part.
> Apparently, the DHS is paying for it, at least that is how I interpret
> what is written on the mentioned webpage.

They may or may not be contributing funding.  DHS wants the Internet to
be more, not less, secure.  In any case, who cares who pays for it if
the end result is positive?

>>> Also, the apparent involvement of the
>>> department for so-called "homeland security" [1] brings a certain taint
>>> along.
>> While some people may dislike some of what that (US) Government
>> department does, would you claim that makes it impossible for them to
>> fund any thing which is worthwhile and beneficial?
> They might fund such things, but these people might question the motives
> behind it. Again, I tend to be paranoid.

Heh.  Well, if you're that paranoid, then you can always get rid of all
your electronic computers and such, move to some uncivilized portion of
the world (if one can be found) where you can grow your own food, free
from concerns that the FDA may have ulterior motives in the food and
water distribution, the Department of Transportation may have ulterior
motives in their funding of the highway system, etc.

I guess it does make sense to consider *what* the impact of the actions
of any government or commercial entity are when giving something away,
but in this case I think there is an obvious rational explanation -- the
US government simply wants systems to be more, not less, secure against
attacks by hackers both foreign and national.   Its an obvious
self-interest -- it doesn't do anyone any good of al Queda or whoever
are able to bring about an economic crisis by taking out the nations
information systems.

Garrett D'Amore, Principal Software Engineer
Tadpole Computer / Computing Technologies Division,
General Dynamics C4 Systems
Phone: 951 325-2134  Fax: 951 325-2191