Andre Hedrick wrote:
> You forgot to include the kernel list
>
> On Fri, 21 Jul 2000, Michael W Zappe wrote:
>
> > In his defense, if Andre hadn't figured it out, and someone with shadier ethics did, it could be much worse. Exposing exploits is not a sin. I thought that the premise behing being "Open" was full disclosure. Or are we more interested in the "success" and acceptance of Linux rather than the principles everyone repeats.
Responsible full discloser however is a different subject. You -don't- have to post an exploit or even a working exploit for full discloser, and it IS considered proper etiquette to give the target two weeks to fix their issue BEFORE announcing to the world. Posting an exploit is for 99% of the crowd, only for the pleasure
of script kiddies. People in the know don't need an exploit to understand it. People who don't know how to do it get the exploit.
In LKML land, that means making the patch, speaking to the right people to get it finessed and proper and put into the release and dev kernels and not making a big public issue out of it until the kernel is done.
This whole thing is certainly important but the big mess about it was a useless waste of time. All it did was get people riled up and instead of responsibly putting the patch into the kernels, you're withdrawing it and developing another exploit for the SCSI system.
So in the end, we have exploits publicly available and refusal to provide protection. I appreciate your work Andre, but this is pure spitefulness.
Those of you that do have the patch Andre wrote, please make it available so someone can responsibly work on integrating it.
-d
-- "The difference between 'involvement' and 'commitment' is like an eggs-and-ham breakfast: the chicken was 'involved' - the pig was 'committed'."
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:16 EST