lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <487D0564.7070606@assumpcao.org>
Date:	Tue, 15 Jul 2008 17:15:32 -0300
From:	Tiago Assumpcao <tiago@...umpcao.org>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
CC:	pageexec@...email.hu, Greg KH <greg@...ah.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10

Linus Torvalds wrote:
> 
> That means that I want to fix things asap. But that also means that there is never a 
> time when you can "let people know", except when it's not an issue any 
> more, at which point there is no _point_ in letting people know any more.
> 

The only plausible solution people have found to this problem is
"letting the world know", so everyone involved in the different stages
of IT maintenance can do their part and properly spread the solution
throughout the assets.

Unless you have a better idea, the full-disclosure policy must remain or
we're going back into 1992AD -- except the threats are thereof 2008.

> So I personally consider security bugs to be just "normal bugs". I don't 
> cover them up, but I also don't have any reason what-so-ever to think it's 
> a good idea to track them and announce them as something special. 
> 
> So there is no "policy". Nor is it likely to change. 
> 
> 			Linus

Either someone classify and inform it as it is, a *security problem*, or 
the issue is likely to pass unnoticed by the majority or to not receive 
the necessary attention by the involved parts.

Right. You don't want your developers to be responsible for classifying 
bugs towards security. Fine. Even though my intuition and personal 
experience tell that the question must be approached by those deeply 
involved in the development life-cycle, which, on their side, are 
responsible for finding, classifying, advising and fixing the security 
issues. This seems appropriate. Further, this appears to be what the big 
software houses nowadays do: from early design and development stages, 
have people to [security] review their applications before deployment, 
up to giving high attention and adequate support to any reported 
security problem, afterwards release. Maybe this is all silly and the 
world is swimming in the wrong direction.

Opinions apart, what really matters: we have an ultimate declaration 
about Linus' tree -- we may forget the pre-official (?) announcement 
[Documentation/SecurityBugs] and know that someone else must, 
eventually, classify and inform the world about security bugs existent 
in their software.
 From our consumer side, every time an issue of this nature is found, 
let's pray for some intermediate, gray, angel to send us an "warning" 
message.


Not more I can do but to make sure that all my peers are informed of 
such a grave reality.

Sincerely,
Tiago

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ