1 |
On Thursday 18 January 2007 19:41, Duncan wrote: |
2 |
> "Hemmann, Volker Armin" <volker.armin.hemmann@××××××××××××.de> posted |
3 |
> 200701181712.53640.volker.armin.hemmann@××××××××××××.de, excerpted below, |
4 |
> |
5 |
> on Thu, 18 Jan 2007 17:12:53 +0100: |
6 |
> > So much text from you, but where is the 'I was wrong, sorry'? |
7 |
> > |
8 |
> > Even if nvidia should have recognized the bug as a serious problem the |
9 |
> > moment it was reported, they delivered the bugfix in 3 month, 3 days |
10 |
> > after they got informed that it was security problem. And they did not |
11 |
> > 'cover it up'. |
12 |
> |
13 |
> If I am demonstrated to be wrong, I say it, but it hasn't happened here. |
14 |
> It WAS a security vuln, and as any such unhandled crash from native code, |
15 |
> they should have treated it as a potential security vuln from the moment |
16 |
> the found it until it was fixed or proven otherwise. |
17 |
> |
18 |
> As for time to a fix, the point is, regardless of how long it actually |
19 |
> took, if the software master (see the sig) has respect for his users and |
20 |
> makes source available, any user can either create a fix or arrange for it |
21 |
> to be created. As it happens, in something that widely used, precisely |
22 |
> /because/ the source is available, a decent share of such bugs (which we |
23 |
> both agree happen in all non-trivial software) in the FLOSS community are |
24 |
> fixed in rather LESS than "three months, three days". However, that's |
25 |
> beside the point, since any user of such software who thinks such bugs |
26 |
> aren't being turned around in a timely enough manner can arrange for a fix |
27 |
> themselves, or simply apply a patch if someone else has already done so. |
28 |
> Since it was slaveryware, that option wasn't available and a slave subject |
29 |
> to master NVidia's whims and decisions on timing, unable to take their own |
30 |
> needs and priorities into consideration and arrange for a fix sooner if |
31 |
> they thought necessary, is /exactly/ what the users were. |
32 |
> |
33 |
> What if NVidia had taken a year to come out with a fix? What if they |
34 |
> decided it wasn't worth their trouble and never came out with a fix? If |
35 |
> it's Free software, there's an alternative, should the user wish to avail |
36 |
> themselves if it. With slaveryware, that's exactly what the user is, a |
37 |
> slave to the whims of the software's master. I make it a point to no |
38 |
> longer be a slave to the whims of the masters of the code I run. That |
39 |
> doesn't mean you have to, it just means I do. |
40 |
> |
41 |
> As for using the term slaveryware in my posts... You don't tell me how I |
42 |
> feel about the software I believe is slaveryware and label it so in my |
43 |
> posts, and I'll not insist you call it slaveryware in yours. After all, |
44 |
> if you find my choice of terms offensive, you don't /have/ to read them. |
45 |
> There /is/ this thing called a killfile, should you find it necessary to |
46 |
> use. Call it heavenlyware in yours if you wish. Deal? =8^) |
47 |
> |
48 |
> (Oh, and backing someone into a corner by demanding an apology doesn't |
49 |
> tend to be a very effective way of actually getting one. Let's not make |
50 |
> this too personal, and agree that we /can/ disagree. It's not as if the |
51 |
> world comes to an end because of it, after all. =8^) |
52 |
> |
53 |
> -- |
54 |
> Duncan - List replies preferred. No HTML msgs. |
55 |
> "Every nonfree program has a lord, a master -- |
56 |
> and if you use the program, he is your master." Richard Stallman |
57 |
|
58 |
|
59 |
to long, did not read. |
60 |
|
61 |
Stop preaching. |
62 |
|
63 |
And I showed you, you were wrong. YOU said, they tried to cover it up. They |
64 |
did not. As soon, as it was known to be a vulnerabilty, it was fixed. In |
65 |
three days. |
66 |
|
67 |
So your whole attack was nonesense. |
68 |
|
69 |
That said, a lot of vulns are not recognized at first, because not everybody |
70 |
is a security guru. |
71 |
|
72 |
Like the Xorg render vulnerability. Crash in render, Xorg's fault, open to |
73 |
exploit. Despite the fact, that xorg is open source. And despite the fact |
74 |
that everybody could read the code, it took a long time to find it. |
75 |
|
76 |
|
77 |
Stop using the word 'slaveryware' or I might use 'that zealot' when I am |
78 |
talking about you. Slaveryware is offensive and demeaning. Everytime you use |
79 |
it, you should apologise to everybody who had the bad luck of reading it. |
80 |
|
81 |
I am sorry that I am using that term just now. Please forgive me. |
82 |
|
83 |
And killfile is not an option, you are sending lots and lots of your sermons |
84 |
to the ml. In fact, almost all mails of you end as a sermon. Sometimes, |
85 |
someone just had to ask for a break to show, that YOUR point of view is |
86 |
certainly NOT the one of everybody else. |
87 |
|
88 |
-- |
89 |
gentoo-amd64@g.o mailing list |