[402] in linux-security and linux-alert archive
Re: console security (was Re: problem with selection)h
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Sun Oct 1 16:57:32 1995
Date: Sat, 30 Sep 1995 03:00:22 -0400
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: Ian Jackson <iwj10@cus.cam.ac.uk>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Ian Jackson's message of Sat, 30 Sep 95 02:36 BST,
<m0syqr6-0002ZJZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 30 Sep 95 02:36 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
In May I wrote to Ted Ts'o and said "have you seen my bug report", and
he said "no". I sent it to him again. I have not had any reply
since.
I don't think I saw the bug report the second time, sorry..... in any
case I don't remember it.
I have to say I'm not particularly impressed with the responsiveness
to bug reports about the serial driver. From kernel version 1.1.13 to
1.1.40 or so hardware flow control was broken. I kept reporting this,
and was told things like "well, most people mailing me say it works
for them", and it took several months before the problem was
acknowledged and then fixed. In the meantime of course I'd been
unable to test the recent 1.1.x series kernels and a data-corrupting
bug had been introduced in the floppy driver.
I'm busy; very busy. Bug reports which don't contain a lot of
information, or which can't be easily reproduced, I don't spend a lot of
time on. Sorry, that's just the way it is. When someone actually took
the time to send me a reproduceable bug report, (spending some amount of
their own time doing their own analysis), so I could see what the
problem was, I fixed it promptly.
The serial driver is a very hard piece of code to maintain, since in
many cases the bug is in the setup, or the application software, and not
in the kernel. Often, I don't have a copy of the particular version of
getty, or login, or uucp, or whatever where someone is seeing the
problem, making it even hard for me to reproduce the problem.
If you want me to spend large amounts of time working on your particular
problem, including reproducing your environment so I can try to find
your bug, when you can't be bothered to do some of the analysis on your
end, you've got another think coming. I do a lot of work for the Linux
community, gratis; if you want more time out of my own life than that
which I will gladly offer to the community, you're going to have to pay
for it.
- Ted
[Mod: Ian's most recent post(s), along with parts of this thread on
console security and the serial driver, seem to have touched a nerve
with a couple of people. lilo <TaRDiS@mail.utexas.edu> also posted two
brief comments on this, which I am attaching here, rather than approving
as separate posts, as they sort of reiterate what Ted has said. Please
take the rest of this thread to private e-mail unless new developments
warrant a return to list postings. I am trying to avoid the situation
that lilo mentions in post 1. --Jeff.]
Post 1 from lilo:
This is one of those, `Mr. Software Person, if you're listening, I'm
really dissatisfied with the free work you're doing' messages. I saw
a lot of those on linux-gcc before I unsubscribed because there seemed
to be more complaining than constructive comments....
Unless you're planning on taking over the maintenance of the serial
drivers for Linux...?
Post 2 from lilo:
Ted has made the point, repeatedly, that if you have access to the
console, you have access to pretty much the whole machine. Local
security on PC equipment has never been very good.
The point is arguable, but Ted's problem with the cost-benefit ratio
of enhancements to security which can be overridden with a floppy is
certainly understandable.
