Re: Doh - dslreports.com

koitsu Premium join:2002-07-16 Mountain View, CA	reply to justin Re: Doh I've spent too many years working with OSS to confuse the two. The response I speak of I've received from members of the Apache team (re: RFC931/1413 flaw which could lead to a buffer overflow and still exists today, re: zombie processes caused on many systems in 1.3.29), developers of SpamAssassin (re: spamd leaving zombie processes around on BSD systems), BIND 8.x (re: potential security hole: zone transfer tempfiles put in main root dir only when using key-based authentication, requiring the daemon to have full rwx access to /etc/namedb, rather than putting them in the appropriate zone directory from each zone directive), GNU screen (re: code checking for ~/.nethackrc despite "nethack off" being specified in .screenrc), PHP 4.x (re: returning status code of 200 regardless of what Apache says is a legitimate command; still exists today), FreeBSD sendmail updates (re: expanding etc/mail/Makefile to support sendmail's "cidrexpand" script so one can use CIDR notation in etc/mail/access; this is more of a feature, but the response was a real let-down) and numerous other mainstream applications. I've been trying to keep a list of all the issues I've reported which go either unresponded to or illicit the standard "You have the source, fix it yourself" response, but I run into stuff too often to maintain a coherent list... I'm just one guy with very interesting experiences with the OSS community, most of them negative. But it still warms my heart (honestly) when I see an OSS developer step in and say "Thanks for reporting this! I'll provide and commit a patch in a few minutes," or simply push out a new release. Anyways, without getting too off track, my point is that peoples' responsibilities shouldn't be nullified whether or not the application is free or commercial. -- Making life hard for others since 1977.
	to forum · permalink · · 2003-11-26 23:38:44 ·
justin Australian join:1999-05-28 Brooklyn, NY	reply to koitsu really? that doesn't sound like any OSS projects I can imagine. Are you sure you are not confusing requests for features you want, which may of course be ignored, with notification of important bugs and security problems?
	to forum · permalink · · 2003-11-26 23:07:09 ·
koitsu Premium join:2002-07-16 Mountain View, CA	reply to justin In the case of the MT folks, they've been generally pretty responsible when it comes to providing patches and being up-front with users about the impact of bugs or security flaws. It's good to see that some open-source developers still believe in taking responsibility for their code. My statement was more general than it was specific to the MT authors; the majority of my experiences with OSS authors has been "since we give you the code, you can fix the problem yourself." It's that kind-of excuse which makes me wonder how many people live in hobbit holes... -- Making life hard for others since 1977.
	to forum · permalink · · 2003-11-26 22:26:05 ·


Tuesday, 01-Dec 09:11:01	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF