>> It would really REALLY help if the report would give enough details >> for me to make an informed decision. [...] Apparently they >> consider it acceptable to make me reproduce the work to figure out >> what the vulnerability is, rather than actually providing useful >> information about it. > You are whining,
Call it what you will. It would have been easy to say something like "the optbuf[] array in handle_mode42() can be overrun if the packet has NTPOPT_ALIEN set but a zero-length planet string". (It would be even easier, and possibly more informative, to just provide the diff for the commit of the fix.) Instead we get "there is a buffer overrun in handle_mode42()". > Please tell me a valid use case for sticking with the older version. It means not going through the vetting hell for the recent version (you've drunk the ./configure koolaid, which is hell for trying to vet; see the "./configure considered harmful" post on my blah), nor the day-plus of bludgeoning it into building after that. Based on a few remarks tossed out in this thread, it likely depends on other things I don't have installed, which ups the work factor substantially. Is that "valid" to you? I don't know. It is to me. >> This does not inspire me to want to use their software. I've long >> been tempted to build my own NTP implementation, [...] > Goferit. Several other folks have done similarly, and to my > knowledge *all* have stuck thru it to get something that was good > enough for their specific needs and all have said that when they > started they had no idea how difficult a problem this is to solve. Of course not. Going into something that big, there's never any real idea what the experience will be like. That was true when I wrote my window manager, my terminal emulator, my ssh implementation, AF_TIMER sockets, my SMTP server, the SMTP shim, doubtless various others; I would not expect NTP to be any different. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
