lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 16 Jul 2008 01:09:20 +0200
From:	pageexec@...email.hu
To:	Greg KH <greg@...ah.com>
CC:	Theodore Tso <tytso@....edu>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10

On 15 Jul 2008 at 15:39, Greg KH wrote:

> On Tue, Jul 15, 2008 at 10:28:44PM +0200, pageexec@...email.hu wrote:
> > Ted, the discussion is *not* about what the best disclosure policy
> > would be for the kernel. the problem i raised was that there's one
> > declared policy in Documentation/SecurityBugs (full disclosure) yet
> > actual actions are completely different and now Linus even admitted
> > it.
> 
> Huh?
> 
> How does what is described there differ from what Linus said,

read his mails and my responses, it's all in there. basically, he said
so himself that he knowingly withholds information. no matter how you spin
that, that's not full disclosure. note that i'm not advocating for using
that disclosure policy for kernel bugs, it's what *you* guys chose and
i'm just asking why you're not practicing it. you're also free to change
to something else, just don't forget to tell the world about it.

> or the -stable team has been doing so far?
> 
> What specifically are you asking for that is different?

that doc says full disclosure, it doesn't say 'but withholding this
or that'. if you don't know what 'full disclosure' means then you're
welcome to ask on proper security mailing lists such as bugtraq or
dailydave or, why not, the list named after this very policy.

> The -stable commits are exactly the same as they are in mainline
> (Linus's tree).  Are you upset by the fact that I am not saying, "Hey,
> look, here's a bugfix that might be security related

yes, you should include that at least. i didn't say that btw, your fellow
-stable maintainer did:

  Had I realized there was a security issue, I would highlight it in the
  announce message.  In fact, that's our standard procedure for -stable.
  (http://lkml.org/lkml/2008/6/10/328)

the 2.4 maintainer agreed with him:

  I don't like obfuscation at all WRT security issues, it does far more
  harm than good because it reduces the probability to get them picked
  and fixed by users, maintainers, distro packagers, etc...
  (http://lkml.org/lkml/2008/6/10/452)

i think you're outgunned here Greg. and no, i'm not upset (after all, i'm
the one catching you cover up security bugs, right? you're not hurting me),
but more and more of your users are.

> and here's how to reproduce it!" in big flashing letters?

no, that doesn't really belong there but it's a nice addition for certain
people.

Greg, instead of pretending to be surprised and upset or whatever, go
read the whole thread first.

cheers,
  PaX Team

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ