|| ||"Michael K. Johnson" <johnsonm-AT-rpath.com>|
|| ||CVE-2006-2451 update|
|| ||Thu, 13 Jul 2006 16:46:14 -0400|
In regards to http://lwn.net/Articles/190385/, we are providing an
updated advisory which radically revises the description of the
vulnerabilities and upgrades the rating.
I am concerned (and I with others have raised this concern on
vendor-sec) that there has been a tendency in advisories to label
almost any bug as a potential privilege escalation, and I fear that
doing so whenever no one is confident that the bug cannot lead to
a privilege escalation will lead to lack of attention paid to the
cases where there is a known privilege escalation vulnerablity,
due to alert fatigue.
Our approach is intentionally not to artificially inflate advisory
ratings, and to release updated advisories whenever appropriate.
It is always possible that in the human process of evaluating
severity, we will mis-judge any particular vulnerability. When we
do so, our policy is to release advisory updates, as we would for
any other significant mistake in an advisory. (This will be our
sixth advisory update for any reason, out of 126 released advisories
for rPath Linux 1.) The change in status itself should help avoid
the alert fatigue problem for users of rPath Linux.
Least importantly, your complaint about nominal version numbers
really doesn't apply to our advisory. It is specifically about
previous versions of the kernel package we provide, not previous
versions of the kernel. That distinction is both key to Conary
technology (we do not use version number ranking within Conary) and
also the reason that we consistently use wording such as "previous
versions of ... package" in our advisories. Our advisories are
not meant to cover software outside our repositories; the generic
descriptions of vulnerabilities is properly done within the CVE
system, not in vendor-specific advisories.
Thank you for recognizing that we did at least publish the
original advisory and update in a timely manner, and for your
continued intelligent and insightful coverage of Linux generally.
Comments (1 posted)
|| ||"Jay R. Ashworth" <jra-AT-baylink.com>|
|| ||Yeah, a letter to the editor|
|| ||Thu, 13 Jul 2006 18:07:14 -0400|
Think about this, folks:
What would we do if Microsoft released IE7.0 simultaneously...
for Windows 2K/XP, OS/X and Linux?
And was 100% ALA/Zeldman compliant?
Jay R. Ashworth firstname.lastname@example.org
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274
Fanfic: read enough, and you'll loose your mind. --me
Comments (8 posted)
|| ||"Floris Kraak" <randakar-AT-gmail.com>|
|| ||"Ken Brown" <kebrown-AT-nvidia.com>, "Derek Perez" <dperez-AT-nvidia.com>,
"Andrew Fear" <afear-AT-nvidia.com>|
|| ||Open letter to nVidia: Please open source the legacy nVidia video drivers|
|| ||Tue, 18 Jul 2006 13:18:02 +0200|
|| ||letters-AT-lwn.net, editors-AT-linuxtoday.com|
The issue I am about to discuss has been talked about before. The
linux community has asked nVidia for open source video drivers in the
past and most likely will again. nVidia so far has consistently said
'no', citing various reasons*.
It is my belief many of those reasons are invalid when it comes to
drivers for cards older than two years**. The so called 'legacy'
Allow me go through the arguments one by one.
1) 'the graphics market is hotly competitive .. [we] want to maintain
the proprietary, trade-secret nature of [the drivers] as long as
possible' (ATI quote)
This argument does not apply for legacy drivers. If you still have a
trade secret in a graphics card driver two years after it's released
the competition is simply not doing it's job. So far the evidence
2) 'It's so hard to write a graphics driver that open-sourcing it
would not help' (quoting Andrew Fear)
That statement is just not true - neither the linux nor the X
community can be accused of not writing high quality, highly complex
software. It can be said*** that the reverse is true - it is so hard
to write a graphics driver that keeping it closed will hurt. It is
certainly not true for legacy drivers, where the development effort
largely consists of keeping them working as new kernel versions
appear. This effort would be considerably easier if these drivers were
to be part of the mainline linux kernel.
3) 'customers aren't asking for open-source drivers'
I'm a customer. I'm asking. With me there are tens of thousands of
linux enthousiasts who are asking. In fact large government
institutions such as the Department of Defense**** are asking too.
Given the current growth figures for Linux, Firefox and other open
source software I think it's safe to say pressure from real customers
will only grow with time*****.
4) Third-party intellectual property.
This may be the only reason I cannot argue against, simply because I
cannot argue against something if I don't know details about it. All I
can say is that nVidia appears to have stated in the past that this
was not a major obstacle. Even if it is an obstacle for some parts of
the code then nVidia may still be in a position to release partial
drivers, old libraries or even specs for the older cards.
Having countered the arguments against opening up legacy drivers I
want to make a case in favor of it. There are several reasons why
nVidia would benefit from opening up their legacy drivers.
a) Costs. It can easily be argued that opening up the legacy drivers
will shift some of the maintenance burden of those drivers to the
Linux community, freeing up development resources inside the company.
b) PR. nVidia will be lauded for doing the right thing, for showing
vision. It would probably be hailed as a victory for the open source
community and as such generate a fair amount of positive press.
c) Higher quality drivers. The open source community has long
maintained free software is higher quality software. Undoubtedly the
peer review process that is part of the linux development model will
help improve the drivers.
Finally, I call upon nVidia to put it's money where it's mouth is.
Andrew Fear said****** "We believe in open source where it makes
sense". It makes sense here. I call upon nVidia to follow up on that
*) A short list of them, and some debuking can be found here:
**) Needless to say I am in support of Open Sourcing the graphics
drivers of all major players entirely. But I am not making an argument
for that here.
***) "On binary drivers and stable interfaces", discussing why keeping
a driver closed source hurts development.
****) Department of Defense report "recommends that the DoD move to a
roadmap to adopt open source and open standards, maintaining that such
a move is not only in the US national interest, but in the interests
of US national security."
*****) Also interesting is the fact that graphics cards get compared
on how well they support Linux nowadays:
******) "We believe in Open Source when it makes sense."
"Any technology distinguishable from magic is insufficiently advanced."
--- Corollary to Clarke's Law
Comments (13 posted)
Page editor: Forrest Cook