Re: thoughts on kernel security issues

[Linus Torvalds]

On Wed, 12 Jan 2005, Linus Torvalds wrote:
> 
> So if the embargo time starts ticking from _first_ report, I'd personally
> be perfectly happy with a policy of, say "5 working days" (aka one week), 
> or until it was made public somewhere else.

Btw, the only thing I care about is the embargo on the _fix_.

If a bug reporter is a security house, and wants to put a longer embargo
on announcing the bug itself, or on some other aspect of the issue (ie
known exploits etc), and wants to make sure that they get the credit and 
they get to be the first ones to announce the problem, that's fine by me. 

The only thing I really care about is that we can serve the people who
depend on us by giving them source code that is as bug-free and secure as 
we can make it. If that means that we should make the changelogs be a bit 
less verbose because we don't want to steal the thunder from the people 
who found the problem, that's fine.

One of the problems with the embargo thing has been exactly the fact that
people couldn't even find bugs (or just uglinesses) in the fixes, because
they were kept under wraps until the "proper date". 

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/