LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linus and security

Linus and security

Posted Jan 13, 2005 9:42 UTC (Thu) by zorgan (guest, #4016)
Parent article: Linux kernel security

Is it just me who finds Linus attitude shown in the linux-kernel thread
started by Chris Wright a bit irresponsible?
While reading it, I sometimes felt he hasn't realized that Linux isn't his
personal hobby anymore, but that there are millions of user of kernel.org
and vendor kernels, whose security partly depends on responsible handling
of kernel vulnerabilities. So that you shouldn't make them dependant on
your own personal pet views or distaste for some politics.

(Log in to post comments)

Linus and security

Posted Jan 13, 2005 13:53 UTC (Thu) by slowjoe (guest, #18834) [Link]

A quote of Linus from the above thread:

(See http://article.gmane.org/gmane.linux.kernel/270044 for the full article.)

<quote>
The only thing I really care about is that we can serve the people who
depend on us by giving them source code that is as bug-free and secure as
we can make it. If that means that we should make the changelogs be a bit
less verbose because we don't want to steal the thunder from the people
who found the problem, that's fine.
</quote>

I suspect that you may be revising your views. Linus takes a strong "let's minimise the window of vulnerability" line. That would appear to be in everyone's best interest.

Linus and security

Posted Jan 13, 2005 17:27 UTC (Thu) by zorgan (guest, #4016) [Link]

But his view is totally inconsistent in this regard. He doesn't realize
users don't want to disclosure to happen until vendor kernels are ready.
First he says he only carer about giving users the most bug-free code
possible, then he says maybe it doesn't matter that the kernel.org kernel
gets security fixes last.

Linus and security

Posted Jan 13, 2005 17:50 UTC (Thu) by jwb (guest, #15467) [Link]

You're projecting your own opinion on the rest of us. I am a user of Linux and I don't give a flying handshake about vendor kernels or their users. It is in the best interest of me and my business to have complete knowledge of all risks associated with the software we use. We need to be perfectly informed to make good operating decisions.

Linus and security

Posted Jan 13, 2005 21:48 UTC (Thu) by zorgan (guest, #4016) [Link]

But his stand doesn't help you in any respect either. His attachment to
his views means he doesn't work with vendor-sec. Which means official
kernel.org kernels get released with known security holes. Check Alan Cox'
emails in the lkml thread.

Linus and security

Posted Jan 14, 2005 5:34 UTC (Fri) by Ross (subscriber, #4065) [Link]

Speaking as a user I could care less about vendor kernels. I want the
fix out as fast as possible. If that means disclosing the vulnerability
or, more likely, giving enough information (from the patch) for someone
to figure it out then that's ok with me. Waiting on vendors could get
very ugly... which vendors first of all. What if one of them takes weeks
to get the patch released? What if they only do quarterly updates? What
about regression testing? I don't want to wait on those things.

Linus and security

Posted Jan 20, 2005 13:32 UTC (Thu) by job (guest, #670) [Link]

As I understand it, he specifically points to the problem that he is not allowed to fix problems too early with the delayed disclosure process. Everbody agrees to wait until the period is over. I for one am very thankful that Linus does not get into that game.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds