lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200807171141.20430.sgrubb@redhat.com>
Date: Thu, 17 Jul 2008 11:41:19 -0400
From: Steve Grubb <sgrubb@...hat.com>
To: dailydave@...ts.immunitysec.com
Cc: full-disclosure@...ts.grok.org.uk, Brad Spengler <spender@...ecurity.net>,
	Valdis.Kletnieks@...edu, Dave Aitel <dave@...unityinc.com>
Subject: Re: 
	[Dailydave]  Linux's unofficial	security-through-coverup policy

On Thursday 17 July 2008 06:57:57 Dave Aitel wrote:
> I think what Brad and the Pax Team are saying here is that:
> 1. We hold Linux to a higher standard than a company - we expect the
> term "open source" to apply to more than just the source code.
> 2. For that reason, the community finds it discomforting when kernel
> maintainers know that a patch has a serious security ramification and
> essentially lie about it by neglecting to put that into the patch
> comments. That's the sort of behavior we expect from a large commercial
> entity.

Linux is a community which means that it needs people helping out when they 
see something that no one else is doing. The community is not divided into 
people inside and outside the community. Everyone can help. Also, security 
reviews do not have to be confrontational in nature. 

Instead of following each dot release with something written in a 
condescending tone, why not start doing this in a more calm tone for each 
kernel release with a little more explaination that not so technically savvy 
people understand? Then take the step of submitting the bugs for CVE numbers. 
Over time I think it would be a valuable reference for admins.

IOW, turn the negative that you see into something positive for the community.

-Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ