Play nice!

The latest in Sun vs. NetApp is that the last of the three patents at the core of NetApp’s case is close to being tossed out by the USPTO. The other two have already been invalidated and withdrawn from the litigation.

A quick refresher: following the release of ZFS, NetApp sued Sun, claiming that ZFS infringed on six NetApp patents, including the three mentioned above; Sun retaliated by claiming that NetApp had somehow forfeited their right to implement NFS, and requesting a permanent injunction against further sales of NetApp products.

This latest development is good news to anyone who is opposed to software patents, and / or in favor of reforming the utterly broken US patent system. However, I must respectfully disagree with Groklaw’s take on the case. Continue reading “Play nice!”

Old history

I am the current maintainer of OpenSSH for FreeBSD, and have been since 2002. I am also the author and maintainer of the PAM implementation used by FreeBSD, and of several of the accompanying PAM modules. Finally, I was a member of the FreeBSD Security Team for several years, served as Assistant Security Officer and Acting Security Officer, and authored or co-authored around 20 security advisories between 2002 and 2004.

I have been asked to comment on SecurityFocus advisories 7467 and 7482, regarding timing attacks against certain versions of OpenSSH that were distributed with FreeBSD 4.x and 5.x releases.

The short version is that no FreeBSD 4.x or 5.x release was ever vulnerable. Read on for the long version. Continue reading “Old history”

Ten years

That’s how long, to the day, I have been a FreeBSD committer.
Ten years seems like a long time when you write it down on paper, or say it out loud, or try to imagine who and where you will be in ten years’ time; but when I think back on my time as a FreeBSD committer, it’s hard to believe it’s really been that long.

The strangest part is seeing younger (or rather, more recently anointed) committers defer to me. I’m not the old tenured professor! I’m not the sage on the mountain! Look at phk, he’s the old fart, not me! I’m still a rookie! I practically haven’t done anything for the project! I mean, apart from libfetch, and pseudofs, and the PAM stack, and OpenSSH, and the Tinderbox, and stints as Bugmeister and Security Officer, and…

This is where my train of thoughts derails, when I realize how much I’ve actually done (although I don’t even come close to people like phk, jhb, or rwatson), and oh shit, it’s actually been ten years!

Update: when I told my wife about this, her immediate reaction was “and they say men can’t commit to anything…”


[The context for this piece is slightly dated, but I was hospitalized shortly after I started writing this, and apparently hospitals don’t provide their patients with wireless (or even wired) Internet connections. Go figure.]

I would like to comment on the following excerpt from a Firebird developer’s reaction to the Coverity press release mentioned in an earlier post:

I’m concerned that some code may trigger false positives, like some places (destination buffers) that don’t seem to check bounds, but this is because their source of data is already of guaranteed limited length. Someone that goes looking blindly for strcpy would panic at first glance.

Continue reading “Assumptions”

Coverity scans of OpenPAM

The following is a copy of a letter I sent to Coverity today.

I am the author and maintainer of OpenPAM, which was recently promoted to Rung 2 in Coverity’s Open Source scan.

OpenPAM was included in your scans in April 2006, at my request, after a NetBSD developer had contacted me and suggested that the NetBSD scans had revealed numerous bugs in OpenPAM. I later learned that this was in fact not true. On the other hand, NetBSD’s CVS history for OpenPAM shows a number changes prompted by lint(1) warnings, most of which were (from my recollection) either false positives or a result of NetBSD’s own modifications.

However, I was not aware that Coverity was still tracking OpenPAM, as the last time I tried to log in using the URL, user name and password I had been provided, the site seemed to have been taken down. Besides, OpenPAM has been dormant for a couple of years, until the release of OpenPAM Hydrangea last December.

While it is flattering to see my project mentioned in the computer press as a “major Open Source project” and—effectively—one of the eleven least buggy, it would have been nice to have been notified directly by Coverity instead of finding out from a press release.

That being said, I am immensely grateful for the service Coverity provides to the Open Source community in general, and to FreeBSD and OpenPAM in particular.