Re: /dev/random on Linux

From: Kyle Moffett
Date: Tue May 16 2006 - 04:51:51 EST

On May 16, 2006, at 04:28, Muli Ben-Yehuda wrote:
On Tue, May 16, 2006 at 04:15:19AM -0400, Kyle Moffett wrote:
On May 15, 2006, at 22:50, Muli Ben-Yehuda wrote:
On Mon, May 15, 2006 at 11:41:07PM +0100, Alan Cox wrote:
A paper by people who can't work out how to mail linux-kernel or vendor-sec, or follow "REPORTING-BUGS" in the source,

Zvi did contact Matt Mackall, the current /dev/random maintainer, and was very keen on discussing the paper with him. I don't think he got any response.

So he's demanding that one person spend time responding to his paper?

Who said anything about demanding? he wanted to discuss the paper. He received no response (AFAIK). Please don't read more into it.

Pardon; my wording was overly harsh, but I still want to point out that assuming an unresponsive MAINTAINERS entry indicates that the person doesn't care is totally wrong. Given the volume of email a lot of these people receive, it's very easy for it to go unnoticed or be trapped by a spam filter. Publishing to the LKML is virtually always OK; even if you have a security problem, the average turnaround for "critical" security fixes like theoretical local root exploits is around 24 hours or so. We went through about 8 stable "releases" over the course of a little more than a week because of several fairly urgent security fixes during that time.

The "maintainer" for any given piece of the kernel is the entry in MAINTAINERS *and* linux-kernel@xxxxxxxxxxxxxxx *and* the appropriate sub-mailing-list.

For security related information, it is sometimes best not to tell the whole world about it immediately (although you should definitely tell the whole world about it eventually). It should've probably been posted to lkml when mpm didn't respond, I agree. I'll take the blame for not suggesting that to Zvi.

As I said above, even the LKML is probably ok if you think you've found an actual explot. If you really feel nervous about exposing it, I believe there's a security@xxxxxxxxxx email where you can send such information which will even tenatively agree to a coordinated disclosure if you can prove that it's an urgent security problem.

Kyle Moffett

Premature optimization is the root of all evil in programming
-- C.A.R. Hoare

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at