Re: thoughts on kernel security issues
From: Linus Torvalds
Date: Thu Jan 13 2005 - 16:14:41 EST
On Thu, 13 Jan 2005, Alan Cox wrote:
>
> I'm all for an open list too. Its currently called linux-kernel. Its
> full of such reports, and most of them are about new code or trivial
> holes where secrecy is pointless. Having an open linux-security list so
> they don't get missed as the grsecurity stuff did (and until I got fed
> up of waiting the coverity stuff did) would help because it would make
> sure that it didn't get buried in the noise.
Yes. But I know people send private emails because they don't want to
create a scare, so I think we actually have several levels of lists:
- totally open: linux-kernel, or an alternative with lower noise
We've kind of got this, but things get lost in the noise, and "white
hat" people don't like feeling guilty about announcing things.
- no embargo, no rules, but "private" in the sense that it's supposed to
be for kernel developers only or at least people who won't take
advantage of it.
_I_ think this is the one that makes sense. No hard rules, but private
enough that people won't feel _guilty_ about reporting problems. Right
now I sometimes get private email from people who don't want to point
out some local DoS or similar, and that can certainly get lost in the
flow.
- _short_ embargo, for kernel-only. I obviously believe that vendor-sec
is whoring itself for security firms and vendors. I believe there would
be a place for something with stricter rules on disclosure.
- vendor-sec. The place where you can play any kind of games you want.
It's not a black-and-white thing. I refuse to believe that most security
problems are found by people without any morals. I believe that somewhere
in the middle is where most people feel most comfortable.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/