Request for help: electronic submission of SPRs

Richard Wood rwood at vajra.uucp
Sat Apr 22 02:33:40 AEST 1989 

Barnett at crdgw1.crd.ge.com (Bruce G. Barnett) writes:

> Uh. So USENET is more secure? :-)

> Seriously, if someone found a bug that is significant (like the bug in
> ed(1) I discovered while installing USENET), I think it is to everyone's
> advantage to make this problem known ASAP.

As I understand it, USENET is not a general purpose network;  "mailbug"
submissions couldn't really be made by it.  It is, instead, a distrbuted
BBS implemented over various types of networks, amoung which are USENET
and the Internet.  Of course, people frequently confuse USENET and UUCP.

But then your :-) might have indicated you knew that and were pointing
out the irony that bugs were already discussed here.  The problem is
that some bug reports contain information that the submitter considered
sensitive, and Digital's response might be likewise.  Since the use of
the USENET it wholly discretionary, that isn't a problem.  But relying
on a non-secure network for an official function would be a problem.

> But I don't really understand the reluctance by DEC to discuss (or
> acknowledge) these problems publicly. Yes, I can understand a company's
> reluctance to admit a stupid mistake. But this will NEVER keep it
> quiet. Sun, for instance, has made several stupid MAJOR mistakes.
> Look at the infamous leap year bug. If DEC made a mistake
> like this, or left a LARGE hole in their operating system,
> they should publicize the fix - or how to get the fix, ASAP.
>
> Face it. You can't hide serious problems.

That was not the intent of my concern with security.  I would expect any
"mailbug" program to also allow quick dissemination of critical
information (such as patches for security holes) to contract customers;
and I know that there is nothing within DEC that would prevent us from
posting such fixes to the USENET either  - Ken Olsen himself gave me
permission to use this medium :-).  However, there doesn't appear to be
a formal program in place right now to take such actions.

> And if Sun, HP/Apollo, or IBM did find out about a bug in Ultrix, so
> what? What are they going to to besides snicker the same way DEC does
> when they find out about something stupid in their competitor's
> system?

*Our* competitors are not the only problem.  It is often necessary when
discussing bugs to mention details that anyone would want to keep
confidential.  This might include comments from government labs or
semiconductor houses - we simply can't ask our customers to use non
secure channels.  It is also true that Digital would be concerned about
it, but the problem isn't limited to being snickered at.

> Then use the biz.* distribution available from UUNET!
> If people want it, they can get it. If they don't want it -no problem!

I'm not up on UUNET.  I'll check up on it.  (I noticed all those biz.*
things that my rn kept asking me whether I was interested in, but I'm so
used to seeing endless proliferation of newsgroups that I ignored them
:-)

Thanks for you comments.

-- ----------------------------------------------------------------------------
Does it need saying that I'm not speaking as an official representative of DEC?
===============================================================================
Richard Wood  !  U. S. Worksystems, Palo Alto  !  Digital Equipment Corporation

More information about the Comp.unix.ultrix mailing list