Re: [stable] Linux 2.6.25.10

From: Tiago Assumpcao
Date: Tue Jul 15 2008 - 22:26:55 EST


Linus Torvalds wrote:

Well, some people keep it secret and track it on vendor-sec or similar, hidden from us.

But then when they are ready to announce it, they want our help to glorify their corrupt process when they finally deign to let us know. And that really irritates me.


Again, not asking for what you can not provide. You must, however, do your part.

The people who want to track security issues don't run my development kernels. They usually don't even run the _stable_ kernels. They tend to run the kernels from some commercial distribution, and usually one that is more than six months old as far as I - and other kernel developers - are concerned.

Right *there* is where it is born! Right at your development kernels. It may or may not survive up to the big market. However, being at the source level, it is your duty to a) resolve the source-level issues; b) put affordable efforts in order to prevent one known issue to arrive at the end point.


IOW, when we fix security issues, it's simply not even appropriate or relevant to you. More importantly, when we fix them, your vendor probably won't have the fix for at least another week or two in most cases anyway.


There is obviously room for suffering from this delay. It's really small, however, if you understand that this is not enough time for widely spread exploits to be in the hands of every corner kid. Not.

Thus, consider the following: how many computers are likely to suffer from one bug that has been advised (marked as "security related" in your bugzilla), and, one week later, fixed? Now, how many computers are likely to suffer from one bug that has been advised and fixed 8 weeks later? A lot more, I presume.

Ok. Now, imagine this scenario: one bug that has never been identified as "security relevant" is assigned and/or fixed by your people. Remember, your list is open to public. Do you have a clue of how many individuals keep watching every bug/fix, with a "security antenna" turned on, expecting for the right bug to show up and... not receive the attention it needs so they can do whatever they want, for the amount of time they please? Several.

Now, tell me, how many computers are likely to suffer from the last scenario; the one that you cultivate?

So ask yourself - what would happen if I actually made a big deal out of every bug we find that could possibly be a security issue. HONESTLY now!


Just mark it. No big deal.


I would not actually be helping you. I'd be helping the people you want to protect against!

Linus


Those who can see, and quickly exploit it, do not need your mark. They will figure it out right after it was assigned and an exploit will exist in the wild not after you fix the bug. So, let's work for the smallest pain. Right?

--t
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/