NetBSD-Advocacy archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: How to respond to security researchers' concerns?



Well, this is 2018, so we now have CISO/CSOs being told "BSD is
dying", and I can't see that ending well. And, yes, I'm biased.

The article overlooks, or fudges, a number of issues. To put this in
words of one syllable:

1. Linux is a kernel. Any BSD is an operating system. Not the same.
2. Simplistic assessment that more eyes are good. True up to a point.
cf Fred Brooks "adding human resources to a late software project
makes it later", or Werner von Braun's “Crash programs fail because
they are based on the theory that, with nine women pregnant, you can
get a baby a month.”
3. For Spectre and Meltdown, the largest issue we've seen over last
few years -- including Heartbleed? -- advance notification required
NDAs, and was late or non-existent for some
4. Pushing CISOs/CSOs towards a monoculture would not be a smart move
for anyone, a lesson it seems we have to re-learn every 15 years,
although the previous report (from 2003) was about Microsoft --
http://blough.ece.gatech.edu/6102/papers/goth.pdf (and I'm not trying
to get anyone fired here). It does seem the original 2003 paper is now
hard to find.
5. Ignores the times when security issues which cause slowdowns in the
Linux kernel are ignored
6. Ignores Single Point of Failure issues in basic components of IT fleet

I'm certainly not saying that BSDs are on a par with Linux, or that
there are more people working on them. What I am saying is that
diversity is good (a message some CISOs will not want to hear), and
that can be achieved without binary options, banner headlines or
simplistic articles.

On 28 January 2018 at 09:17, Kamil Rytarowski <n54%gmx.com@localhost> wrote:
> On 26.01.2018 21:08, Michael Cheponis wrote:
>> https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.html
>>
>> said some Not So Nice things about NetBSD.
>>
>>
>> What is the Real Truth here?
>>
>>
>> Thanks!
>> Mike
>>
>
> We tend to be good at fixing the bugs, but not at communicating them to
> the users. Every fixed vulnerability could have a security advisory...
> but it is a tedious job.
>
> Would you like to help?
>


Home | Main Index | Thread Index | Old Index