Re: OT] Joerg Schilling flames Linux on his Blog

From: Kyle Moffett
Date: Wed May 25 2005 - 18:13:22 EST

Next message: John Hawkes: "[PATCH] drop note_interrupt() for per-CPU for proper scaling"
Previous message: Alexandre Buisse: "Re: dlm-lockspaces-callbacks-directory-fix.patch added to -mm tree"
In reply to: Joerg Schilling: "Re: OT] Joerg Schilling flames Linux on his Blog"
Next in thread: Joerg Schilling: "Re: OT] Joerg Schilling flames Linux on his Blog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On May 25, 2005, at 09:15:33, Joerg Schilling wrote:

If Linux believes that there should be enhanced security similar to Solaris and
if Linux is a true open Source business, then I would expect that there is
cooperation. If I change things in e.g. mkisofs or cdrecord that could result
in problems for my "users", I send a notification mail to the XCDRoast & k3b
authors early enough.

There was a security hole in the CD burner support. The Linux Kernel developers
fixed it quickly. They were not planning to wait 6 months for you to get an
updated version of cdrecord out the door in any case. If you want more
information on the Linux Kernel security policy, please see a recent copy of the
linux kernel for the file Documentation/SecurityBugs. To quote the relevant
part: "It is reasonable to delay disclosure ... or for vendor coordination.
However we expect these delays to be short, measurable in days, not weeks or
months." Part of this policy includes "we'd like to know when a security bug is
found so that it can be fixed and disclosed as quickly as possible." This seems
to imply that the security team is not likely to wait 6 months to fix a critical
hardware-damaging vulnerability.

If the cause for the change really was the "security problem" caused by the
fact that Linux did allow to send SCSI commands on R/O file descriptors it
would have been sufficient to require R/W permissions on the fd. After this
putative small change, the supposed problem would have been fixed and cdrtools
as well as other users of the interface did work as before.

I will not debate this issue with you. Please see the copious quantities of
emails when this issue was brought up a while ago.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r !y?(-)
------END GEEK CODE BLOCK------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: John Hawkes: "[PATCH] drop note_interrupt() for per-CPU for proper scaling"
Previous message: Alexandre Buisse: "Re: dlm-lockspaces-callbacks-directory-fix.patch added to -mm tree"
In reply to: Joerg Schilling: "Re: OT] Joerg Schilling flames Linux on his Blog"
Next in thread: Joerg Schilling: "Re: OT] Joerg Schilling flames Linux on his Blog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]