lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 May 2018 20:52:29 -0700 From: Guenter Roeck <linux@...ck-us.net> To: "Theodore Y. Ts'o" <tytso@....edu>, Mark Brown <broonie@...nel.org>, Sasha Levin <Alexander.Levin@...rosoft.com>, Daniel Vetter <daniel.vetter@...ll.ch>, "ksummit-discuss@...ts.linuxfoundation.org" <ksummit-discuss@...ts.linuxfoundation.org>, Greg KH <gregkh@...uxfoundation.org>, "w@....eu" <w@....eu>, "julia.lawall@...6.fr" <julia.lawall@...6.fr>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [Ksummit-discuss] bug-introducing patches On 05/02/2018 08:10 PM, Theodore Y. Ts'o wrote: > On Thu, May 03, 2018 at 11:05:50AM +0900, Mark Brown wrote: >> On Wed, May 02, 2018 at 07:46:34PM +0000, Sasha Levin wrote: >> >>> As you said, the regression should be fixed "asap", not "immediately". >>> It should go through some sort of review and testing the maintainers are >>> happy with, but unfourtenately it doesn't happen now. >> >> Doesn't happen some of the time. It's not like this is a universal >> problem. >> >> Especially for driver specific things there's at times no realistic >> prospect of getting useful independent review of fixes, the hardware >> isn't always widely available and if the fix isn't a pure software thing >> at some point you just have to trust the judgement of the vendor. > > And sometimes the Demon Murphy will cause a regression fix for user A, > to cause breakage for slightly different hardware belonging to user B. :-( > Believe me, I get my share of those. 7dac4a1726a9 ("ext4: add validity checks for bitmap block numbers") and its fix 22be37acce25 (" ext4: fix bitmap position validation") are pretty good examples. Yet, at the same time I had to deal with three additional CVEs in the ext4 code. Even though the initial fix for one of the four was buggy, I am glad that I got the other three through stable releases. As for -next, me and others stopped reporting bugs in it, because when we do we tend to get flamed for the "noise". Is anyone aware (or cares) that mips and nds32 images don't build ? Soaking clothes in an empty bathtub won't make them wet, and bugs in code which no one builds, much less tests or uses, won't be found. I can only repeat - what we need is more sophisticated testing, not a more restrictive process. Guenter
Powered by blists - more mailing lists