| 1 |
On Thursday 18 January 2007 19:41, Duncan wrote: |
| 2 |
> "Hemmann, Volker Armin" <volker.armin.hemmann@××××××××××××.de> posted |
| 3 |
> 200701181712.53640.volker.armin.hemmann@××××××××××××.de, excerpted below, |
| 4 |
> |
| 5 |
> on Thu, 18 Jan 2007 17:12:53 +0100: |
| 6 |
> > So much text from you, but where is the 'I was wrong, sorry'? |
| 7 |
> > |
| 8 |
> > Even if nvidia should have recognized the bug as a serious problem the |
| 9 |
> > moment it was reported, they delivered the bugfix in 3 month, 3 days |
| 10 |
> > after they got informed that it was security problem. And they did not |
| 11 |
> > 'cover it up'. |
| 12 |
> |
| 13 |
> If I am demonstrated to be wrong, I say it, but it hasn't happened here. |
| 14 |
> It WAS a security vuln, and as any such unhandled crash from native code, |
| 15 |
> they should have treated it as a potential security vuln from the moment |
| 16 |
> the found it until it was fixed or proven otherwise. |
| 17 |
> |
| 18 |
> As for time to a fix, the point is, regardless of how long it actually |
| 19 |
> took, if the software master (see the sig) has respect for his users and |
| 20 |
> makes source available, any user can either create a fix or arrange for it |
| 21 |
> to be created. As it happens, in something that widely used, precisely |
| 22 |
> /because/ the source is available, a decent share of such bugs (which we |
| 23 |
> both agree happen in all non-trivial software) in the FLOSS community are |
| 24 |
> fixed in rather LESS than "three months, three days". However, that's |
| 25 |
> beside the point, since any user of such software who thinks such bugs |
| 26 |
> aren't being turned around in a timely enough manner can arrange for a fix |
| 27 |
> themselves, or simply apply a patch if someone else has already done so. |
| 28 |
> Since it was slaveryware, that option wasn't available and a slave subject |
| 29 |
> to master NVidia's whims and decisions on timing, unable to take their own |
| 30 |
> needs and priorities into consideration and arrange for a fix sooner if |
| 31 |
> they thought necessary, is /exactly/ what the users were. |
| 32 |
> |
| 33 |
> What if NVidia had taken a year to come out with a fix? What if they |
| 34 |
> decided it wasn't worth their trouble and never came out with a fix? If |
| 35 |
> it's Free software, there's an alternative, should the user wish to avail |
| 36 |
> themselves if it. With slaveryware, that's exactly what the user is, a |
| 37 |
> slave to the whims of the software's master. I make it a point to no |
| 38 |
> longer be a slave to the whims of the masters of the code I run. That |
| 39 |
> doesn't mean you have to, it just means I do. |
| 40 |
> |
| 41 |
> As for using the term slaveryware in my posts... You don't tell me how I |
| 42 |
> feel about the software I believe is slaveryware and label it so in my |
| 43 |
> posts, and I'll not insist you call it slaveryware in yours. After all, |
| 44 |
> if you find my choice of terms offensive, you don't /have/ to read them. |
| 45 |
> There /is/ this thing called a killfile, should you find it necessary to |
| 46 |
> use. Call it heavenlyware in yours if you wish. Deal? =8^) |
| 47 |
> |
| 48 |
> (Oh, and backing someone into a corner by demanding an apology doesn't |
| 49 |
> tend to be a very effective way of actually getting one. Let's not make |
| 50 |
> this too personal, and agree that we /can/ disagree. It's not as if the |
| 51 |
> world comes to an end because of it, after all. =8^) |
| 52 |
> |
| 53 |
> -- |
| 54 |
> Duncan - List replies preferred. No HTML msgs. |
| 55 |
> "Every nonfree program has a lord, a master -- |
| 56 |
> and if you use the program, he is your master." Richard Stallman |
| 57 |
|
| 58 |
|
| 59 |
to long, did not read. |
| 60 |
|
| 61 |
Stop preaching. |
| 62 |
|
| 63 |
And I showed you, you were wrong. YOU said, they tried to cover it up. They |
| 64 |
did not. As soon, as it was known to be a vulnerabilty, it was fixed. In |
| 65 |
three days. |
| 66 |
|
| 67 |
So your whole attack was nonesense. |
| 68 |
|
| 69 |
That said, a lot of vulns are not recognized at first, because not everybody |
| 70 |
is a security guru. |
| 71 |
|
| 72 |
Like the Xorg render vulnerability. Crash in render, Xorg's fault, open to |
| 73 |
exploit. Despite the fact, that xorg is open source. And despite the fact |
| 74 |
that everybody could read the code, it took a long time to find it. |
| 75 |
|
| 76 |
|
| 77 |
Stop using the word 'slaveryware' or I might use 'that zealot' when I am |
| 78 |
talking about you. Slaveryware is offensive and demeaning. Everytime you use |
| 79 |
it, you should apologise to everybody who had the bad luck of reading it. |
| 80 |
|
| 81 |
I am sorry that I am using that term just now. Please forgive me. |
| 82 |
|
| 83 |
And killfile is not an option, you are sending lots and lots of your sermons |
| 84 |
to the ml. In fact, almost all mails of you end as a sermon. Sometimes, |
| 85 |
someone just had to ask for a break to show, that YOUR point of view is |
| 86 |
certainly NOT the one of everybody else. |
| 87 |
|
| 88 |
-- |
| 89 |
gentoo-amd64@g.o mailing list |
Archives