Re: thoughts on kernel security issues

[Greg KH]

On Wed, Jan 12, 2005 at 12:27:11PM -0800, Chris Wright wrote:
> * Linus Torvalds (torvalds@xxxxxxxx) wrote:
> > But in the absense of politics, I'd _happily_ have a self-imposed embargo
> > that is limited to some reasonable timeframe (and "reasonable" is
> > definitely counted in days, not weeks. And absolutely _not_ in months,
> > like apparently sometimes happens on vendor-sec).
> > 
> > So if the embargo time starts ticking from _first_ report, I'd personally
> > be perfectly happy with a policy of, say "5 working days" (aka one week), 
> > or until it was made public somewhere else.
> 
> That's more or less my take.  Timely response to reporter, timely
> debugging/bug fixing and timely disclosure.

That sounds sane to me too.

> > IOW, if it was released on vendor-sec first, vendor-sec could _not_ then
> > try to time the technical list (unless they do so in a very timely manner
> > indeed).
> 
> What about the reverse, and informing vendors?  This is typical...project
> security contact gets report, figures out bug, works with vendor-sec on
> release date.  In my experience, the long cycles rarely come from that
> final negotiation.  It's usually not much of a negotiation, rather a
> "heads-up", "thanks".

Vendors should also cc: the kernel-security list/contact at the same
time they would normally contact vendor-sec.  I don't see a problem with
that happening, and would help out the people on vendor-sec from having
to wade through a lot of linux kernel specific stuff at times.

> The two goals: 1) timely response, fix, dislosure; and 2) not leaving
> vendors with pants down; don't have to be mutually exclusive.

I agree, having pants down when you don't want them to be isn't a good
thing :)

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/