lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Jul 2008 20:27:53 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Tiago Assumpcao <tiago@...umpcao.org> CC: Theodore Tso <tytso@....edu>, Linus Torvalds <torvalds@...ux-foundation.org>, pageexec@...email.hu, Greg KH <greg@...ah.com>, Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org, stable@...nel.org Subject: Re: [stable] Linux 2.6.25.10 Tiago Assumpcao wrote: > Theodore Tso wrote: >> Look if you want this, pay $$$ to a distribution and get their >> supported distribution. It costs time and effort to classify bugs as >> security related (or not), (...) > > That's fallacious. Assuming that you have good programmers, and you > do, it's of very low cost the act of identifying what *is likely to > be* a security bug. That is based on lots and lots of assumptions that are just not true. Ted Tso, Stephen Smalley and I are all recognized as security experts and we can't even agree on whether sockets are objects or not, much less what constitutes a security bug and even less what is likely to be a security bug. Goodness, there are some of us who would argue that since DNS is itself a security bug it is just not possible for DNS to have a security bug, as an example. > In most cases, they are easy to spot. Err, no, in the kernel environment a real security flaw is likely to be pretty subtle. > And, hey, we are not asking for an absurd amount of care. You must not > pay $200 /hour for someone to review your software. All I, personally, > ask for is that the basic attention is given. With this simple act, > I'm sure you would cover the majority of the bugs. > >> It will cost you money, but hey, the people who want >> this sort of thing typically are willing to pay for the service. >> > > So, only those willing to pay have the right of respect? Because, you > see, this is rather a matter of respect with those who choose to use > your solution. And, no, the "free will" argument does not qualify > herein. My mother is not aware of your absurd acts. > >> I'll note that trying to classify bugs as being "security-related" at >> the kernel.org level often doesn't help the distro's, since many of >> these bugs won't even apply to whatever version of the kernel the >> distro's snapshotted 9-18 months ago. So if the distro snapshotted > > 2.6.18 in Fall 2006, and their next snapshot will be sometime two >> years later in the fall of this year, they will have no use for some >> potential local denial of service attack that was introduced by >> accident in 2.6.24-rc3, and fixed in 2.6.25-rc1. It just doesn't >> matter to them. > > I don't follow what you have just said. What is the problem with > "versioning" and the strictness of its relation to bugs, security or not? > >> >> So basically, if there are enough kernel.org users who care, they can >> pay someone to classify and issue CVE numbers for each and every >> potential "security bug" that might appear and then disappear. > > I think, CVE registration or the alike would be too much for what I > call "act of decency". A single parenthesis note on the bug itself > would be of great help and of small effort. > > > --t > > > > > > > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists