lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 15 Jul 2008 18:41:36 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Tiago Assumpcao <tiago@...umpcao.org>
cc:	pageexec@...email.hu, Greg KH <greg@...ah.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10



On Tue, 15 Jul 2008, Tiago Assumpcao wrote:
> 
> How can I expect one to treat the unknown? If you are not aware of it, you do
> nothing.

Well, some people keep it secret and track it on vendor-sec or similar, 
hidden from us.

But then when they are ready to announce it, they want our help to glorify 
their corrupt process when they finally deign to let us know. And that 
really irritates me.

> All I ask for is to receive the "There are updates available." message as soon
> as one security problem is reported, understood and treated by your
> development part. And that is, the sooner possible, if you please.

Umm. You're talking to _entirely_ the wrong person.

The people who want to track security issues don't run my development 
kernels. They usually don't even run the _stable_ kernels. They tend to 
run the kernels from some commercial distribution, and usually one that is 
more than six months old as far as I - and other kernel developers - are 
concerned.

IOW, when we fix security issues, it's simply not even appropriate or 
relevant to you. More importantly, when we fix them, your vendor probably 
won't have the fix for at least another week or two in most cases anyway.

So ask yourself - what would happen if I actually made a big deal out of 
every bug we find that could possibly be a security issue. HONESTLY now!

We'd basically be announcing a bug that (a) may not be relevant to you, 
but (b) _if_ it is relevant to you, you almost certainly won't actually 
have fixed packages until a week or two later available to you!

Do you see?

I would not actually be helping you. I'd be helping the people you want to 
protect against!

			Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ