For what it is worth...
Posted Jan 10, 2005 18:41 UTC (Mon) by geomon
In reply to: For what it is worth...
Parent article: grsecurity 2.1.0 and kernel vulnerabilities
"lots of speculation so let's..."
From my perspective, you are trying to defend yourself when you shouldn't have to.
"understand please that we (well, spender at least) already had had a working two-way email connection with Linus. during the holidays..."
That is a problem. You have, of course, identified the source of the problem and have already recommended a solution.
"1. how much more we should have waited..."
For a legitimate bug? Not long I would hope (I am a user!).
"2. why we shouldn't have contacted Linus/Andrew in the first place"
You should have if there isn't an appropriate point-of-contact already established. That is the root cause of the problem.
"3. why we should have contacted Alan first (who is explicitly not the security contact anymore)"
You shouldn't have to. If Alan is not *the* person for security matters, that would be inappropriate as well.
"4. why we should have contacted a VM hacker first (none of whom is a security contact either, not even for their respective employer, let alone linux/VM in general)."
I've got to agree with this one too. Why should I go to the grocery store to get my car's front end aligned?
"see, i've been in the security industry for some number of years now, and i know quite well what best practices are (everyone's got his own, but there're some common elements)"
You are projecting defensiveness again. Give it a rest - you've made your point.
"rule 1: you contact the explicit security contact first."
An explict security contact should have been established *first*. That has either not happened yet, or the point-of-contact has changed. In either case, if the information is not readily available, then NO credible process exists for submitting security patches.
I share your shock at that prospect.
"for linux this used to be Alan himself, nowadays it's vendor-sec (yes, that means you're not supposed to deal with individual distros, that's why vendor-sec was established in the first place)."
That may work for individual vendors. How about establishing a Linux security working group that is composed of security contacts from the vendors?
What is missing in this discussion is a single point-of-contact, regardless of how it is composed, with contact information posted at kernel.org, kerneltrap.org, linux.org, or lwn.net.
"rule 2: short of such a security contact, you begin contacting the 'people in control"
See Rule 1.
"> PaxTeam isn't subscribed to LKML. Why? Because "there's too much"?
correct, i have a day job (unrelated to linux),"
And you shouldn't HAVE to subscribe to a mailing list to get a point-of-contact. That is pure stupidity.
That's why web pages were invented: "http://groups-beta.google.com/group/alt.hypertext/msg/395..."
"> And that fact that it claims to report a security vulnerability is quite likely to get it classified as "crying wolf"
i provided a proof of concept exploit (which you would know if you had actually read the announcement and posts here)."
The fact is, every event of security should be treated as a serious condition. It should not be the job of the submitter to determine whether the issue is serious or not; they may not be security experts but probably have noted a serious condition that they cannot explain by themselves.
This issue is a confidence buster if the community cannot produce a credible notification scheme. One of the key arguments that Linux advocates have used for years in defending the security of its products has been the claim that "many eyes" are better than code obfuscation. I have observed how this submitter has been treated and would question why ANYONE would submit a security concern to the community at this point.
Continuing to blame the person who submits the bug report, regardless of how they did it, is unacceptable. That smacks of the same arrogance that drove us to use Linux in the first place. Linux developers need to provide certainty to the user community that their concerns will be addressed and not arbitrarily dismissed.
to post comments)