lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 15 Jul 2008 23:11:57 -0400
From:	Theodore Tso <tytso@....edu>
To:	Tiago Assumpcao <tiago@...umpcao.org>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	pageexec@...email.hu, Greg KH <greg@...ah.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10

On Tue, Jul 15, 2008 at 11:24:25PM -0300, Tiago Assumpcao wrote:
>> The people who want to track security issues don't run my development  
>> kernels. They usually don't even run the _stable_ kernels. They tend to 
>> run the kernels from some commercial distribution, and usually one that 
>> is more than six months old as far as I - and other kernel developers - 
>> are concerned.
>
> Right *there* is where it is born! Right at your development kernels. It  
> may or may not survive up to the big market. However, being at the  
> source level, it is your duty to a) resolve the source-level issues; b)  
> put affordable efforts in order to prevent one known issue to arrive at  
> the end point.

I don't think we've ever heard any of the distro kernel engineers
complain that there is a problem with how commits are documented in
the upstream source.  Keep in mind, the distro kernels are usually at
least 6-9, to sometimes 18-24 months old.  So many of the security
bugs that show up in the developement kernels simply don't *apply* to
the distro kernels; they security bugs simply aren't present in those
older kernels.

Of course, sometimes there are long-standing bugs.  But I don't think
the distro engineers have been complaining that they aren't finding
out about them because they aren't marked <<------ SECURITY BUG HERE
in big bold letters.

And again, talking about something as if it were their ***duty*** is
not a good way to pursuade people to do things in the open source
world.  The only guaranteed way to get something done in the open
source is to help pay for it, or do it yourself.  Sometimes you can
convince others to do your work for you, but usually that requires
some reciprocity in the long run.

Regards,

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ