For what it is worth...
Posted Jan 10, 2005 21:30 UTC (Mon) by Ross
In reply to: For what it is worth...
Parent article: grsecurity 2.1.0 and kernel vulnerabilities
There was no crying wolf and there were no "proper channels". If these
type of bug reports are not taken seriously then I am shocked. It wasn't
a subtle or complex set of bugs. These are the kinds of problems that
show up all the time. The source code snippits should have been more
than enough to "prove" their case.
As for reporting, the grsecurity team followed what they thought
were the best ways to report the problems. The fact they guessed "wrong"
(which is not actually a fact ... just an unsupported assertion on
several people's part) is not their fault. I can't fault them for it.
I'm still unclear as to what the "correct" way would have been. There
was absolutely no documentation on how to report such problems. You
claim they "should have known" that Andrea is the right contact based on
years-old information. Using that reasoning Alan Cox would be the right
contact... but we know that is incorrect.
Sure Linus gets a lot of email. He probaly doesn't read a lot of it.
The point of them explaining they had "established two-way link"
hat Linus had read and responded to the original message ... but not
fixed the problem once the bug became exploitable. You are complaining
that they didn't read the lkml ... but what, exactly, would that have
accomplished? Posting to the lkml is every bit as public as this
disclosure. Or are you saying you aren't allowed to report bugs without
They were very patient. People are claiming this is like DJB's arrogant
security reports. It is not even close. Several people have claimed
these issues were released as punishment and that the use_lib() thing is
unrelated. The point that had been made is that these issues were being
released because someone else leaked the use_lib() bug... otherwise it
would have all be taken care of together. Once the information is out it
is in everyone's best interest that is is fully and widely disclosed.
Secrecy is only useful for so long... other people may find the bug and
information tends to leak out. A month and change seems more than
Someone else said that they shouldn't have mailed the kernel people but
one or more of the distribution maintainers. I can't disagree more.
Report security bugs to the upstream. They will be fixed in a single
place, in the right way -- not to mention the advantage of limiting the
number of people the information is sent to.
Why can't MAINTAINERS have an entry for kernel security bug reports? Why
not setup a separate mailing list or alias which will magically go to the
right people (not including a bunch of distro maintainers)? Why not
create a PGP key for it to accept encrypted messages? I think everyone
agrees there is a problem. We may not agree on who is at fault but
aren't there _very_ easy ways to fix it?
to post comments)