Re: thoughts on kernel security issues

[Dave Jones]

On Thu, Jan 13, 2005 at 10:48:14PM +0100, Marek Habersack wrote:
 
 > > If admins don't install updates in a timely manner, there's
 > > not a lot we can do about it.  For those that _do_ however,
 > > we can make their lives a lot more stress free.
 > Indeed, but what does have it to do with a closed disclosure list? 

For the N'th time, it gives vendors a chance to have packages
ready at the time of disclosure.

 > With open
 > disclosure list you provide a set of fixes right away, the admins take them
 > and apply. With closed list you do the same, but with a delay (which gives
 > an opportunity for a "race condition" with the bad guys, one could argue).
 > So, what's the advantage of the delayed disclosure?

Not having to panic and rush out releases on day of disclosure.
Not having users vulnerable whilst packages build/get QA/get pushed to mirrors.

Users of kernel.org kernels get to build and boot in under an hour.
Vendor kernels take a lot longer to build.

1- More architectures.
   (And trust me, there's nothing I'd like more than to be able
	to increase the speed of kernel builds on some of the architectures
	we support).
2- More generic, ie more modules to build.

In the case of public disclosure of issues that we weren't aware of,
it's a miracle that we get update kernels out on day of disclosure
in some cases. (In others, we don't, and the same applies to other vendors too)

		Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/