lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <005001c8e6f8$ac0955f0$a6181fac@ad.checkpoint.com>
Date:	Wed, 16 Jul 2008 01:01:24 -0300
From:	"Rodrigo Rubira Branco" <rbranco@...checkpoint.com>
To:	<linux-kernel@...r.kernel.org>, <stable@...nel.org>
Cc:	<greg@...ah.com>, "'Justin Forbes'" <jmforbes@...uxtx.org>,
	"'Zwane Mwaikambo'" <zwane@....linux.org.uk>,
	"'Theodore Ts'o'" <tytso@....edu>,
	"'Randy Dunlap'" <rdunlap@...otime.net>,
	"'Dave Jones'" <davej@...hat.com>,
	"'Chuck Wolber'" <chuckw@...ntumlinux.com>,
	"'Chris Wedgwood'" <reviews@...cw.f00f.org>,
	"'Michael Krufky'" <mkrufky@...uxtv.org>,
	"'Chuck Ebbert'" <cebbert@...hat.com>,
	"'Domenico Andreoli'" <cavokz@...il.com>,
	"'Willy Tarreau'" <w@....eu>, <torvalds@...ux-foundation.org>,
	<akpm@...ux-foundation.org>, <alan@...rguk.ukuu.org.uk>,
	"'Alan Cox'" <alan@...hat.com>, <caglar@...dus.org.tr>,
	"'Greg KH'" <gregkh@...e.de>, <casey@...aufler-ca.com>
Subject: Re: [stable] Linux 2.6.25.10 (resume)

First of all sorry for copy many people who maybe are not in the initial
discussion, but since I've not been copied I have no idea who are and who
are not in that thread ;)

The point that many people are trying to make is that Linux has a policy
defined in a document (Documentation/SecurityBugs) but are not following it.

Don't really matter to us what the policy is, but it's really important to
follow it (many people, who are security professionals need that, and many
others, who are NOT security professionals also).

We all know (both sides) that it's impossible to know everything related to
every bug and it's security impact.  But there is a lot of different
situations well-known as a security problems (because the bug class is well
know, because someone reported it with details to the devels, etc).  Hide it
is an option, disclouse it is another.  Have a policy is what matters.  Say
something and do another thing is always bad to everybody involved.
 

P.S:  I'm talking by myself, not for the company that I work for.


Rodrigo Rubira Branco (BSDaemon).

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ