Zoltan Arnold NAGY wrote:
On Thu, Nov 24, 2011 at 5:07 AM, Darren Reed <darrenr%netbsd.org@localhost> wrote:On 24/11/2011 12:13 AM, Zoltan Arnold NAGY wrote:On Wed, Nov 23, 2011 at 5:55 AM, Jeremy C. Reed <reed%reedmedia.net@localhost> wrote:interest of progress.Remember that this is -CURRENT, where things like this are *supposed* to happen?As for me, I was glad Darren pointed this out. (In fact, I was quite surprised when I read the followup acknowledging known buggy code living in -current.)[...]We should suggest and even force that code known to be broken to be reverted. (Well I think this is already true, but not happening?) (It will be easier when we have a better revision control so many can work easier on branches.)When I committed the code, I did test it with both v4 and v6. Apart from the TCP state engine bugs, I did not encounter any issues, that's why the commit. Sorry if it got thru. I'll work with rmind@ on the weekend to fix these.Let me summarise the email to which I responded to for the benefit of yourself and others in a single sentence: "The IPv6 merge introduced numerous security bugs."Could you list non-NPF specific security bugs that were introduces? I still yet to see a list.Exactly what testing was done prior to the merge and how was it done?Regular usage scenarios. No automated testing with a packet generator, if that's what you're suggesting.
If we did introduce security holes even when npf is disabled, I sincerely apologize; if we did not, then I seriously don't get your tone.
Because even if it is disabled by default, there's nothing stopping someone from downloading -current today, using npf and falling victim to the bugs. There's more reasoning but I just can't seem to put the thoughts and ideas into coherant sentences (everything I try just comes out wrong). My apologies for that. Darren