atheros chips dangerous?

[Wesley Morgan]

On Fri, 11 Aug 2006, Poul-Henning Kamp wrote:

> In message <44DC47D7.2050908 at fadesa.es>, =?ISO-8859-1?Q?=22Jos=E9_M=2E_Fandi=F1
> o=22?= writes:
>
>>> Sam compiled those binaries, he has the source code.
>>>
>> And it is a matter of trust.
>>
>> from the phk's comments I deduce that it was a NDA between Atheros
>> and FreeBSD.
>
> The NDA is between Atheros and Sam Leffler.
>
>> In my opinion the difference is that with NDA you place trust in
>> a few persons (the ones with the code), whilst with open source
>> drivers the code can be reviewed by all people with enough
>> knowledge about the subject and since peer review is an important
>> concept in FOSS quality (and security) it would be desirable
>> to have free code.
>
> While that is certainly true, I also feel that the fact that
> Atheros has actively tried to work with the FOSS people to get
> a good driver should be credited to them.
>
> Other vendors have been totally impossible to work with.

I agree, the Atheros driver is fantastic. The driver may be "binary" in 
some ways, but I think we got the best of both worlds. The vendor is 
providing every scrap of information necessary without having to give away 
trade secrets, and FreeBSD got a driver authored by a developer who is 
probably one of the most qualified people in the world to work on it. I 
know I go out of my way to purchase and recommend Atheros-based wireless 
devices because of this.

Anyone who simply makes the blanket assumption that because something is 
"FOSS" that it gets more peer review need only to look at some of the 
oldest open source projects around, such as sendmail or XFree/Xorg, to 
realize that security problems can persist for years without being 
discovered.


-- 
This .signature sanitized for your protection