Re: thoughts on kernel security issues

From: Alan Cox
Date: Thu Jan 13 2005 - 15:43:32 EST


On Iau, 2005-01-13 at 20:10, Linus Torvalds wrote:
> In fact, right now we seem to encourage even people who do _not_
> necessarily want the delay and secrecy to go over to vendor-sec, just
> because the vendor-sec people are clearly arguing even against
> alternatives.

If someone posts something to vendor-sec that says "please tell Linus"
we would. If someone posts to vendor-sec saying "I posted this to
linux-kernel here's a heads up" its useful. If you are uber cool elite 0
day disclosure weenie you post to full-disclosure or bugtraq. There are
alternatives 8)

> Which is something I do not understand. The _apologia_ for vendor-sec is
> absolutely stunning. Even if there are people who want to only interface
> with a fascist vendor-sec-style absolute secrecy list, THAT IS NOT AN
> EXCUSE TO NOT HAVE OPEN LISTS IN _ADDITION_!

I'm all for an open list too. Its currently called linux-kernel. Its
full of such reports, and most of them are about new code or trivial
holes where secrecy is pointless. Having an open linux-security list so
they don't get missed as the grsecurity stuff did (and until I got fed
up of waiting the coverity stuff did) would help because it would make
sure that it didn't get buried in the noise.

Similarly it would help if you are sneaking security fixes in (as you do
regularly) you actually told the vendors about them.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/