LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

poor social estrategy

poor social estrategy

Posted Jan 9, 2005 0:51 UTC (Sun) by sbergman27 (guest, #10767)
In reply to: poor social estrategy by PaXTeam
Parent article: grsecurity 2.1.0 and kernel vulnerabilities

No need. You have already stated your postition and mindset quite clearly enough for everyone to understand. And yes, I am exiting this thread, as I rather dislike participating in useless flamewars, which is what this has become.

I will, however, take this opportunity to agree with you that if such a document does not exist, it very much should. People should *not* have to read LKML to know these things. If grsecurity had not released exploit code to the world, I would even be sympathetic. However, when an organization actually releases an exploit, it needs to be held to higher standards than the average Joe. The research on proper proceedure needs to be done, and thoroughly.

If you wish, we can continue this discussion via private email. I'm at steve_AT_rueb.com.

Live Long and Prosper,
Steve Bergman

(Log in to post comments)

poor social estrategy

Posted Jan 9, 2005 17:13 UTC (Sun) by PaXTeam (subscriber, #24616) [Link]

everything i discussed here very much belongs to the public and it shall stay so. i see you are quick to accuse others of being irresponsible but don't actually have the guts to apologize when your claims prove to be without merit. you also haven't realized that there are bigger issues here than the fate of a handful bugs, which is the whole point why we tested the waters with them only, not more critical stuff. some questions for you and the community to answer: why can the BSDs have a designated security officer and linux not? why can you communicate with said officers using proper encryption whereas you cannot with vendor-sec? why did nothing happen after the do_brk() bug/exploit leak more than a year ago so just in time history could repeat itself with the uselib() bug/exploit? why didn't you, Steve Bergman, complain about *that* yet? why is it acceptable that isec can release local root exploits with their advisories (which are anything but simple to understand and hence reproduce) but a few liner in assembly (trivial to reproduce) makes you scream 'irresponsible'? hipocrisy abound and you talk about holding others to higher standards.

keep the pissing contests for IRC

Posted Jan 9, 2005 22:07 UTC (Sun) by dw (subscriber, #12017) [Link]

If there is still a problem here, take it to e-mail, or IRC. LWN comment postings are not the place for it - remember your comments will probably exist here long after you cease to.

keep the pissing contests for IRC

Posted Jan 10, 2005 12:13 UTC (Mon) by coolian (guest, #14818) [Link]

Just remember, the Pax guy is trying to do a good thing, and wants it
fixed. He may have the social graces of a walrus, but he's at least
*doing* something about a problem. Stop ripping the guy and acting like
armchair quarterbacks.

keep the pissing contests for IRC

Posted Jan 10, 2005 12:29 UTC (Mon) by zorgan (guest, #4016) [Link]

May I politely request that everybody stops confusing the PaX team with
the grsecurity developers? I haven't seem anybody of the PaX team
"behaving like a social walrus" (not that I think this term would be fair
to Brad Spengler, either).

Anyway, the suggestion that Andrea Arcangeli would currently be more of a
VM maintainer than Linus Torvalds or Andrew Morton is so funny that I
don't understand why anybody took sbergman27 seriously. He has done
important development on the VM a couple of times, but he has never
adopted anything like a maintainer's role, AFAIK.

But I think the main point remains (and that's why this discussion makes
sense): If Linus and akpm get too much flooded with e-mails that they
cannot even reply to a local DoS report within 3 weeks, then maybe they
should appoint someone to be a security contact person? Someone who is
willing to look into such reports, can judge their severity, and contact
the relevant maintainers to review proposed patches etc.?

keep the pissing contests for IRC

Posted Jan 11, 2005 8:11 UTC (Tue) by Wol (guest, #4433) [Link]

Why's it funny that "Andrea would be more of a VM mainainer than Linus"?

After all, it was *Andrea* that *wrote* the thing in the first place, not Linus...

Cheers,
Wol

keep the pissing contests for IRC

Posted Jan 11, 2005 20:11 UTC (Tue) by zorgan (guest, #4016) [Link]

Because *writing* != *maintaining*.

Maintaining means reviewing other people's patches, forwarding them to
tree maintainers, making sure the code stays clean and well-documented,
etc. Andrea has not even bothered much sending his own to Linus/Marcelo.

poor social estrategy

Posted Jan 10, 2005 13:07 UTC (Mon) by philips (guest, #937) [Link]

Thanks for you work, PaX.

I've being hitting this bug (as bug, but not securinty hole) several times before.

I hope that now it will be fixed.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds