Path: utzoo!attcan!uunet!husc6!mailrus!ames!vsi1!octopus!avsd!childers From: childers@avsd.UUCP (Richard Childers) Newsgroups: news.sysadmin Subject: Re: Virus: I blame the vendors Summary: vendors are culpable Keywords: eternal slack Message-ID: <270@avsd.UUCP> Date: 14 Nov 88 20:46:40 GMT References: <563@husc6.harvard.edu> Reply-To: childers@avsd.UUCP (Richard Childers) Organization: AMPEX Corporation, Redwood City, CA Lines: 64 In article <563@husc6.harvard.edu> reiter@harvard.harvard.edu (Ehud Reiter) writes: >I think the vendors bear the lion's share of guilt in this affair. They do. Especially Sun, as it has deliberately sought a lion's share of the market and has expended a similar amount of capital to make sure it stays there at the top, in a *leadership* position. >Why the hell didn't Sun and friends fix these security holes ages ago? Not cost-effective. (See below.) > b) Sun has been making a fuss about the snazzy new high-tech security >features in 4.0. I wonder how many man-years those represent? I wonder >how many man-hours (man-minutes?) it would have taken to fix the Sendmail >distribution? My personal definition of `hacker': someone who loves writing >snazzy new code but refuses to do code maintanance. I interviewed at Sun's Software Quality Assurance a few months ago, with both Graphics and UNIX departments of the QA group, several members of each, and in order to diffuse the finger-pointing I'll just say that everyone was of a uniform mind - except for the SQA director, a *classic* Scott McNealy clone if ever I saw one - that the week or two they had to test major releases was not adequate to the responsibility they had to the user community. See, Sun has several major models, each of them have dozens of possible confs, and it's a nightmare to test them all. Anyone who's watched SunOS go through its stages, 1.x, 2.x, 3.x, has probably seen similar factors that point to a failure to do things right. Manual pages are out of date, manual pages that conflict with program behavior, programs that conflict with manual pages, and programs that aren't documented ... what Sun does, apparently, is test ONLY the major sellers, and test ONLY the major programs, using an ancient blackbox testing program that was probably written back in 1983. It seems clear to me that someone got a raise out of 'speeding up' QA, whom they no doubt characterized as a bunch of goof-offs. How long does it take to test a version of an OS, anyway ? ( Duhhh ... ) The moment you appoint an MBA to control a bunch of dedicated engineers, you are going to see a drop in quality, as the MBA fails to see the critical issues and makes decisions based on a superficial, not substantial, understanding of the issues, both short- and long-term. I know Sun's got a few spin-doctors on the net who'll do their best to make as little of my commentaries as possible, but they are offered in the interest of freedom of information, and in the interests of honesty. Let's just say I was so turned off by problems in 3.x that weren't fixed until 3.5, that I'm not going to install 4.0 until it's gone through a bunch of revisions. Now that I know why they are there, I know they'll continue cropping up until a new set of managers assumes responsibility for Sun, which is highly unlikely. It's kind of like a job I had for a few hours in a restaurant when I was a kid. I was supposed to wash the dishes. To my mind, that meant to 'get them clean'. To the mind of my manager, that meant 'run water over them'. I was fired that night for not doing the dishes fast enough, although there was a sufficiently large supply of clean dishes to last ... -- richard -- * Tyger, tyger, burning bright, ..{amdahl,decwrl,hoptoad,hplabs, * * In the forest of the night ; octopus,pyramid,ucbvax,vixie} * * What immortal hand or eye, !avsd.UUCP!childers@tycho * * Could frame thy fearful symmetry ? AMPEX Corporation, R & D *