| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080717153222.0A4DF11803E@mailserver5.hushmail.com> Date: Thu, 17 Jul 2008 11:32:20 -0400 From: "Elazar Broad" <elazar@...hmail.com> To: full-disclosure@...ts.grok.org.uk, pschmehl_lists@...rr.com Subject: Re: [Dailydave] Linux's unofficial security-through-coverup policy Sorry if I was not clear enough, I meant in the commit comments. I agree, you need about a brain and a half to spot kernel bugs in the code itself... On Thu, 17 Jul 2008 10:58:03 -0400 Paul Schmehl <pschmehl_lists@...rr.com> wrote: >--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad ><elazar@...hmail.com> >wrote: > >> I could understand why Linus is against classifying a commit >> comment in his branch or in a any unstable branch for that >> matter...then again, the repositories are open, and anyone with >> half a brain might be able to discern what has security >> ramifications or not. > >Apparently this isn't as true as you'd like to think. If it were, >the folks >who write the code would have caught it to begin with. After all, >anyone who >can write kernel code that works has *at least* half a brain, >wouldn't you say? > >The truth is, there is a very small pool of people smart enough, >educated >enough and familiar with the code in question enough to actually >spot security >problems in the code. Those folks are worth their weight in gold, >but in many >cases they do it for the pure pleasure of finding the bugs. They >also only >focus on those things that interest them, so the number of people >actually >looking for security issues in the LInux kernel code is >infinitesimally small >compared to the number of people who use the compiled product. > >Claiming that "anyone with half a brain" can spot security >problems in code >belittles both those who actually can and all those who cannot but >want to be >informed about them so they can protect themselves. > >-- >Paul Schmehl >As if it wasn't already obvious, >my opinions are my own and not >those of my employer. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -- Click to become a master chef, own a restaurant and make millions. http://tagline.hushmail.com/fc/Ioyw6h4eAFcOJbfoL5Wwa5NEmtU7vhJkF49lH3FbZ1YKdjbrwlfVgs/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists