On Wed, Jul 25, 2007 at 11:32:09PM -0700, Dan Lund wrote: > Eh, there's just less of a market visibility for OpenBSD, so it's not aimed at. > It's merely luck of the draw in this case, however. As a follow up, Theo talks about the history of this in the comment section of http://undeadly.org/cgi?action=article&sid=20070725193920, which I'll quote below. Important points to consider, as I see them: This isn't a Linux vs. BSD issue. The ISC is it's own thing, apart from Linux or BSD. Neither Linux nor BSD is the whole of FLOSS. FLOSS people should be aware of other FLOSS people, share ideas and code, and learn from each other. There's a real danger in being an isolationist here, as the bind 9 exploit shows.
Actually, we found the original problem with SNI (Secure Networks) and CORE (of Argentina) in 1997, and we fixed it at the same time in our version of the code, which was BIND 4 at the time. This is the problem reported and fixed in http://www.openbsd.org/advisories/res_random.txt Following that discovery and repair, the ISC people developing BIND 8 and BIND 9 went and developed their own LFSR-based solution to solve the same problem. Instead of using our cryptographically better solution, they went with their own solution because it put less pressure on the (non-existant) random number subsystems that current operating systems had. (They chose to use what systems had for RNG subsystems, rather than joining other projects at pressuring operating systems of the time to get onto the strong RNG bandwagon sooner). At the time we told them that we felt their solution was not as secure. We explained in detail why we thought our solution was better. They did not listen. We had gone through great efforts with the CORE guys (who did the math side of our non-repeating random number generator) to make sure that attacks of that kind would not be feasable. Remember that before these changes were basically id++. Before our posting, there was no solution to the id++ problem. After our solution, ISC went and independently developed an inferior solution rather than our solution. When we switched to BIND 9, we chose to stick with our own solution rather than use the inferior ISC developed mechanism. Glad we did so.
-- Darrin Chandler | Phoenix BSD User Group | MetaBUG dwchandler@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss