End of all Open Source.

From: Feher Tamas (etomcat@freemail.hu)
Date: 03/04/03


From: "Feher Tamas" <etomcat@freemail.hu>
Date: Tue, 4 Mar 2003 17:40:29 +0100

Dear Sirs,

I am sure you have heard of the latest huge buffer overflow, root exploit
security hole in the open source SendMail MTA and its bugfix.

We know that this security issue was discovered on 27th Nov 2002 by ISS
Corp. (CVE MITRE ID# CAN-2002-1337)

However, the US Department of Homeland Security prohibited Sendmail Inc.,
the US-based developer of the affected MTA software from disclosing the
issue to public. The state authorities organized all major vendors, from Sun
to IBM to make patchES and the issue + fixes were disclosed to public only
this monday, that is, more than 3 moths later.

I am hereby calling all honest people and especially the software developers
to:

-publicly condemn the incident, because it represents a blantant violation
of the US Constitution, especially the institution of free speach which is
introduced by the First Amendment. Source code, the essence of Open Source
has been repeatedly declared free speach by the supreme court. Any exploit
or bugfix for a particularly software is source code itself, therefore
protected under Amendment One.
The US goverment's action represents an abuse of power, regardless of the
fact, that the intention of the action was most likely positive, i.e.
protect the public from the danger. Year 1984 is still1984, even if it's
Boxing Day, not Halloween.

-You shall state in public that you will not succumb to pressure by state or
participate in cover-ups, like the one described above.

-You shall immediately review the list of your source code suppliers (those,
whose code you reuse) to determine, whether those entities may be subject to
the same rules, which Sendmail Inc. followed, that is to keep mouth shut, if
Uncle Sam tells them so. If that is the case, your customers / users are
being in danger when using your software and those suppliers must be
replaced with safe ones.

This is not a joke, we are talking about something very orwellian. In fact I
am afraid this Sendmail incident put the . on an empty line at the end of
the history of Open Source development. Or maybe forming source code reading
clubs can save the day. Welcome to the world of Fahrenheit 451!

Faithfully: Tamas Feher.