lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LFD.1.10.0807151331110.2867@woody.linux-foundation.org>
Date:	Tue, 15 Jul 2008 13:42:58 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	pageexec@...email.hu
cc:	Greg KH <greg@...ah.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10



On Tue, 15 Jul 2008, pageexec@...email.hu wrote:
> 
> i understand and i think noone expects that. in fact, i know how much
> expertise and time it takes to determine that. but what happens when
> you do figure out the security relevance of a bug during bug submission

The issue is that I think it's then _misleading_ to mark that kind of 
commit specially, when I actually believe that it's in the minority.

If people think that they are safer for only applying (or upgrading to) 
certain patches that are marked as being security-specific, they are 
missing all the ones that weren't marked as such. Making them even 
_believe_ that the magic security marking is meaningful is simply a lie. 
It's not going to be.

So why would I add some marking that I most emphatically do not believe in 
myself, and think is just mostly security theater?

I generally do not remove peoples changelog entries, although I _will_ 
do even that if I think it's just too much of an actual exploit 
description (of course - the patch itself can make the exploit fairly 
clear). So you'll find CVE entries etc in the logs if you look.

But I do hope that anybody who looks for them is _aware_ that it's just a 
small minority of possible problems.

Don't get me wrong - I'm not saying that security bugs are _common_, but 
especially some local DoS thing for a specific driver or filesystem or 
whatever can be a big security problem for _somebody_.

			Linus


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ