[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48852E4D.3050405@la.checkpoint.com>
Date: Mon, 21 Jul 2008 21:48:13 -0300
From: "Rodrigo Rubira Branco (BSDaemon)" <rbranco@...checkpoint.com>
To: Alan Cox <alan@...hat.com>
CC: Greg KH <gregkh@...e.de>, linux-kernel@...r.kernel.org,
stable@...nel.org, greg@...ah.com,
"'Justin Forbes'" <jmforbes@...uxtx.org>,
"'Zwane Mwaikambo'" <zwane@....linux.org.uk>,
"'Theodore Ts'o'" <tytso@....edu>,
"'Randy Dunlap'" <rdunlap@...otime.net>,
"'Dave Jones'" <davej@...hat.com>,
"'Chuck Wolber'" <chuckw@...ntumlinux.com>,
"'Chris Wedgwood'" <reviews@...cw.f00f.org>,
"'Michael Krufky'" <mkrufky@...uxtv.org>,
"'Chuck Ebbert'" <cebbert@...hat.com>,
"'Domenico Andreoli'" <cavokz@...il.com>,
"'Willy Tarreau'" <w@....eu>, torvalds@...ux-foundation.org,
akpm@...ux-foundation.org, alan@...rguk.ukuu.org.uk,
caglar@...dus.org.tr, casey@...aufler-ca.com,
spender@...ecurity.net, pageexec@...email.hu,
rodrigo@...nelhacking.com
Subject: Re: [stable] Linux 2.6.25.10 (resume)
Alan Cox escreveu:
>> @@ -1,7 +1,7 @@
>> -Linux kernel developers take security very seriously. As such, we'd
>> -like to know when a security bug is found so that it can be fixed and
>> -disclosed as quickly as possible. Please report security bugs to the
>> -Linux kernel security team.
>> +Linux kernel developers take security very seriously, in exactly the
>> +same way we do with any other bugs. As such, we'd like to know when
>> +a security bug is found so that it can be fixed as soon as possible.
>> +Please report security bugs to the Linux kernel security team.
>>
>
> NAK this. If the fix is not clear and the bug not too serious it is better
> to disclose it than fail to fix it. The security team does not usually fix the
> bugs, the experts in the various bits of code do.
>
ACK ;) Changed the sentence. Tks.
>> -Any exploit code is very helpful and will not be released without
>> -consent from the reporter unless it has already been made public.
>> +Any exploit code is very helpful and will not be released.
>>
>
> NAK this too. If someone releases an exploit publically or it leaks we
> want to be able to freely share it too. Your proposal would mean any but
> those dumb enough to agree to this could share it. That is why the unless made
> public is part of every generic NDA document on the planet.
>
Agreed. Changed the sentence. Tks.
> The rest needs Linus to return from holiday for discussion and that'll
> be a week or two. In the meantime you might want to define "disclose" as
> I don't think we all agree on what it means as you've not defined who is and
> isn't the linux security team and/or its helpers.
Cool.
View attachment "SecurityBugs.patch" of type "text/plain" (2694 bytes)
Powered by blists - more mailing lists