LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

LWN.net Weekly Edition for June 6, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

For what it is worth...

For what it is worth...

Posted Jan 10, 2005 18:41 UTC (Mon) by geomon (guest, #27127)
In reply to: For what it is worth... by PaXTeam
Parent article: grsecurity 2.1.0 and kernel vulnerabilities

"lots of speculation so let's..."

From my perspective, you are trying to defend yourself when you shouldn't have to.

"understand please that we (well, spender at least) already had had a working two-way email connection with Linus. during the holidays..."

That is a problem. You have, of course, identified the source of the problem and have already recommended a solution.

"1. how much more we should have waited..."

For a legitimate bug? Not long I would hope (I am a user!).

"2. why we shouldn't have contacted Linus/Andrew in the first place"

You should have if there isn't an appropriate point-of-contact already established. That is the root cause of the problem.

"3. why we should have contacted Alan first (who is explicitly not the security contact anymore)"

You shouldn't have to. If Alan is not *the* person for security matters, that would be inappropriate as well.

"4. why we should have contacted a VM hacker first (none of whom is a security contact either, not even for their respective employer, let alone linux/VM in general)."

I've got to agree with this one too. Why should I go to the grocery store to get my car's front end aligned?

"see, i've been in the security industry for some number of years now, and i know quite well what best practices are (everyone's got his own, but there're some common elements)"

You are projecting defensiveness again. Give it a rest - you've made your point.

"rule 1: you contact the explicit security contact first."

WRONG!

An explict security contact should have been established *first*. That has either not happened yet, or the point-of-contact has changed. In either case, if the information is not readily available, then NO credible process exists for submitting security patches.

I share your shock at that prospect.

"for linux this used to be Alan himself, nowadays it's vendor-sec (yes, that means you're not supposed to deal with individual distros, that's why vendor-sec was established in the first place)."

That may work for individual vendors. How about establishing a Linux security working group that is composed of security contacts from the vendors?

What is missing in this discussion is a single point-of-contact, regardless of how it is composed, with contact information posted at kernel.org, kerneltrap.org, linux.org, or lwn.net.

"rule 2: short of such a security contact, you begin contacting the 'people in control"

WRONG.

See Rule 1.

"> PaxTeam isn't subscribed to LKML. Why? Because "there's too much"?

correct, i have a day job (unrelated to linux),"

And you shouldn't HAVE to subscribe to a mailing list to get a point-of-contact. That is pure stupidity.

That's why web pages were invented: "http://groups-beta.google.com/group/alt.hypertext/msg/395..."

"> And that fact that it claims to report a security vulnerability is quite likely to get it classified as "crying wolf"

i provided a proof of concept exploit (which you would know if you had actually read the announcement and posts here)."

The fact is, every event of security should be treated as a serious condition. It should not be the job of the submitter to determine whether the issue is serious or not; they may not be security experts but probably have noted a serious condition that they cannot explain by themselves.

This issue is a confidence buster if the community cannot produce a credible notification scheme. One of the key arguments that Linux advocates have used for years in defending the security of its products has been the claim that "many eyes" are better than code obfuscation. I have observed how this submitter has been treated and would question why ANYONE would submit a security concern to the community at this point.

Continuing to blame the person who submits the bug report, regardless of how they did it, is unacceptable. That smacks of the same arrogance that drove us to use Linux in the first place. Linux developers need to provide certainty to the user community that their concerns will be addressed and not arbitrarily dismissed.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds