our recent security stuff

[Theo de Raadt <deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org>]

The most amazing thing about this new buffer overflow stuff is that it
appears noone in any other project has commented on it in a public
mailing list anywhere.  Eerie silence.

I don't know about how you guys view that, but to me it is pretty
depressing that none of these other projects (or their users) see the
impact and import of these changes; that indicates a large lack of
vision.

The interesting side of ProPolice is that it will, once we ship 3.3,
be on everyone's OpenBSD machines.  People will run buggy software.
ProPolice catches bugs at run-time.  When a buffer overflow is
accidentally (or purposefully) hit, a syslog will be delivered naming
the function where the problem happened, before the program aborts.
Since our noses are stuck in the source, and our run-time testing
methodology is weak (as weak as the entire industry) many bugs will be
found; safely.  Many bugs will be found, because there's only a few of
us running this stuff now, in the way we run it.  But when these
runtime errors are caught, it will be easy to find the actual bugs.
And easy for an attacker to attack the same software on another
system.  I don't know how large this impact will be.

However, it is possible it might be big.

I used to ask Crispin Cowan if StackGuard had ever found any regular
bugs; and he never said yes... well, since integrating ProPolice we've
already found a whole bunch of bugs as a result of it.  So, this
might be very interesting...