security issues

Alan McKinnon alan at linuxholdings.co.za
Tue Mar 14 21:15:56 UTC 2006 

On Tuesday 14 March 2006 14:29, Colin Watson wrote:
> On Mon, Mar 13, 2006 at 06:04:20PM -0600, Lamp wrote:
> > Why on God's green earth was the password ever written to a file
> > in the first place?!?!??
>
> It was obviously never meant to be; multiple defences against it
> being written to disk failed simultaneously. Those of you who are
> assuming that this was because of the equivalent of "fprintf(log,
> password);" assume wrongly; we aren't quite *that* careless! It was
> significantly more complicated than that.

<snip>

> Anyhow, I've fixed this just about as soon as was humanly possible
> for me, and take it extremely seriously. While perhaps for some of
> you it's too little too late, we'll do everything we can to install
> better defences against this kind of thing in future.

I see that the Open Source method is working.

I've done a bit of coding in my time and learned the lessons the hard 
way. I've learned that no code is perfect and mistakes do happen, and 
some mistakes are more awful than other ones. Good coders seem to 
work like this:

research the problem being solved adequately - check
code it to the best of your ability - check
when bugs surface, make sure you get to hear about them - check
fix them in an appropriately timely fashion - check
document the problem and its fix for other coders' benefit - check
implement policy to catch similar mistakes in the future - check
be honest and don't try and hide what happened - check

What we have hear is evidence that the responsible parties *can* be 
trusted. As a coder I get a warm fuzzy feeling from this whole 
incident - the response was admirable as 0 day fixes on a Sunday are 
almost unheard off. That it concerns passwords is unfortunate, but 
you know what? Stuff happens. Then it happens some more.

Others may disagree with me and feel they can't trust Ubuntu any more. 
If so, feel free to mail me off-list and I'll tell you the horror 
story of a well-known database product whose vendor let an almost 
identical bug go unfixed for 18 MONTHS.

-- 
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five

More information about the ubuntu-users mailing list