lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c8b4dbe10807171408m1c8da2a4ga573f133d6beb86f@mail.gmail.com>
Date:	Thu, 17 Jul 2008 22:08:47 +0100
From:	"Aidan Thornton" <makosoft@...glemail.com>
To:	"Linus Torvalds" <torvalds@...ux-foundation.org>
Cc:	pageexec@...email.hu, "Greg KH" <greg@...ah.com>,
	"Andrew Morton" <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10

On 7/15/08, Linus Torvalds <torvalds@...ux-foundation.org> wrote:
>
>
> On Tue, 15 Jul 2008, Linus Torvalds wrote:
>> 
>> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's 
>> the "look at the source" approach.
>
> Btw, and you may not like this, since you are so focused on security, one 
> reason I refuse to bother with the whole security circus is that I think 
> it glorifies - and thus encourages - the wrong behavior.
>
> It makes "heroes" out of security people, as if the people who don't just 
> fix normal bugs aren't as important.
>
> In fact, all the boring normal bugs are _way_ more important, just because 
> there's a lot more of them. I don't think some spectacular security hole 
> should be glorified or cared about as being any more "special" than a 
> random spectacular crash due to bad locking.

I hate to state the obvious, but there's a reason security holes are treated differently - because they're *not* *obvious*. If a system is crashing spectacularly, generally someone notices and tries to fix it. On the other hand, security holes are usually invisible in normal operation until a hacker uses one to walk off with tens of thousands of people's credit card details. That's why there's so much effort put into tracking them.

> Security people are often the black-and-white kind of people that I can't 
> stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in 
> that they make such a big deal about concentrating on security to the 
> point where they pretty much admit that nothing else matters to them.
>
> To me, security is important. But it's no less important than everything 
> *else* that is also important!

True, there are other serious types of bugs (silent data corruption is one particularly nasty one). However, for *any* serious bug, it's important to be clear on what the likely impact is and what's affected. This goes particularly for the ones that might otherwise not be obvious to the person affected until it's too late, such as security and silent data corruption bugs, but really it applies to all serious bugs. I'm not convinced these descriptions are clear enough.

Aidan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ