Firewalls: Re: TRUST US

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: TRUST US
From:	"Simon J. Gerraty" <sjg @ frodo . dn . itg . telecom . com . au>
Date:	Fri, 28 Apr 1995 13:38:49 +1000
To:	amolitor @ anubis . network . com (Andrew Molitor)
Cc:	firewalls @ greatcircle . com
In-reply-to:	Your message of "Thu, 27 Apr 1995 20:06:29 CDT." <9504280106 . AA26135 @ anubis . network . com>

> from person to person. Why do you want the source for your security tools?

So I don't have to rely on a vendor to fix it.

As an example... I stopped using vendor supplied versions of sendmail
in the mid 80's when users were complaining about a particular
sendmail bug (handling of timezones would you believe).  The vendor
(shall remain nameless) could only offer to look at it for the next
release - since we'd just installed the latest that was a long time
away... 

When the recent sendmail/identd problem was reported - I simply
re-compiled sendmail with that feature disabled...

Over the years, I've found and fixed bugs in all sorts of PD and other
freely available s/w.  Over the same period I found and _reported_
lots of bugs in commercial s/w many of which have not and probably
never will be fixed - some vendors are quite open about that.  In most
cases I simply ended up porting the latest BSD version of whatever to
the box so we could get on with our work...

Having the source does not mean that the s/w is better or worse
(usually better because more people are working on it... often worse
for the same reason :-) The important point though is that if there is
a bug, or my environment is such that the s/w needs to be modified I
can get it done.

On one of my UNIX systems at home I have _one_ commercial package.
Guess which is the only package that is _not_ working...?  Its a
package compiled for BSDI running on a NetBSD box and while it worked
fine under NetBSD-0.9 it does not under NetBSD-1.0.  Having OS source
allowed me to track the problem precisely btw.  I don't see this as
the fault of either OS - but if I had the source to the package _I_
wouldn't have a problem as a simple re-compile on my system would fix
it.  Alternatively I could pay a few thousand $$ to the package vendor
to have them port it to my box - but I've just learned to do without.

> 	It's become axiomatic that you must have the source, just like

Its not "you must have the source" but it sure beats not having it.

Simon J. Gerraty		<sjg @
 zen .
 void .
 oz .
 au>

#include <disclaimer>		/* imagine something _very_ witty here */

References:

Re: TRUST US
From: amolitor @ anubis . network . com (Andrew Molitor)

Indexed By Date	Previous:	UDP probes to ports in the 334xx range ??? From: John Pettitt <jpp @ software . net>
Indexed By Date	Next:	running the Gauntlet ... From: John Cougar <johnc @ canbtimes . com . au>
Indexed By Thread	Previous:	Re: TRUST US From: amolitor @ anubis . network . com (Andrew Molitor)
Indexed By Thread	Next:	Re: TRUST US From: "Bryan D. Boyle" <bdboyle @ maverick . erenj . com>