lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 17 Jul 2013 04:53:58 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Greg KH <greg@...ah.com>
Cc:	Jiri Kosina <jkosina@...e.cz>,
	James Bottomley <James.Bottomley@...senPartnership.com>,
	ksummit-2013-discuss@...ts.linuxfoundation.org,
	linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [Ksummit-2013-discuss] KS Topic request: Handling the Stable
 kernel, let's dump the cc: stable tag

On Tue, 2013-07-16 at 09:36 -0700, Greg KH wrote:
> On Tue, Jul 16, 2013 at 11:11:24AM +0200, Jiri Kosina wrote:
> > On Mon, 15 Jul 2013, Greg KH wrote:
> > 
> > > > Anything that's being reviewed on the stable list is public.  I know
> > > > this is an old argument, but if you point out a fix you *know* has a
> > > > security impact then you'll help general distribution maintainers and
> > > > users a lot more than you help the black-hats who are quite capable of
> > > > recognising such a fix (if they haven't already spotted and exploited
> > > > the bug).
> > > 
> > > I'm sorry, but you know I will not do that, so asking about it isn't
> > > going to change this behavior.
> > 
> > I just followed up in the other thread, where Ted was explaining why the 
> > huge /dev/random rework was a -stable material.
> > 
> > Why specifically would it be wrong to be open about this being security 
> > related, and providing the necessary data (i.e. at least reference to 
> > http://factorable.net/) publically?
> > 
> > I fail to see what the point behind hiding this would be.
> 
> I'm not "hiding" anything, all I'm doing is using the exact same
> changelog comments that are in Linus's tree, and nothing else.

Right, and I wouldn't expect you to edit commit messages.  But if a fix
was privately proposed to you for stable on the grounds that the bug is
found to be exploitable, maybe you could include that information in the
cover message for the review.

Ben.

-- 
Ben Hutchings
Humans are not rational beings; they are rationalising beings.

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ