LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

"Stable" kernel 2.6.25.7 released

"Stable" kernel 2.6.25.7 released

Posted Jun 18, 2008 13:52 UTC (Wed) by NAR (subscriber, #1313)
In reply to: "Stable" kernel 2.6.25.7 released by PaXTeam
Parent article: Stable kernel 2.6.25.7 released 

OK, this is a kind of "smoking gun" - in spite of the "full disclosure policy", a kernel
developer tried to avoid full disclosure. But still, I'd like to get back to the Napoleon
quote. Maybe the translations altered the meaning of the proverb, but I understood that
"incompetence" contained "simple human mistake" too. This quote you shoved does not prove
malice for me, it could be a simple human mistake (or if a security professional goes for
"security through obscurity", than it's a sign of incompetence). 

As a software developer, I know that we have a couple of rules that we should obey (just like
the kernel developers have rules e.g. for full disclosure). I also know that we tend to break
these rules: out of ignorance, convenience, lack of time, sometimes incompetence - but I've
never seen someone break these rules maliciously.

Even the amount of exploitable security bugs not labelled as such does not prove malice for me
- after all, there are many people fixing these errors, they can make many mistakes. I believe
your standards are just too high. A security professional should be exceptionally paranoid,
but even most kernel developers are not that paranoid.

I think this thread shows that there are other problems with the current kernel development
process, not just those that are usually mentioned (lack of review, regressions, etc.).

(Log in to post comments)

"Stable" kernel 2.6.25.7 released

Posted Jun 18, 2008 14:13 UTC (Wed) by PaXTeam (subscriber, #24616) [Link] 

i don't think i ever talked about malice, what i did say was dishonesty (they're not the
same). dishonesty about having a commitment to the public yet doing something else behind the
scenes. no bad ill is required for such behaviour, my *guess* is that it's normal human
psychology: you don't need to deal with the problems you don't admit you have. just look at
last week's LWN interview with Andrew Morton (he's fully aware of what's going on on the
security lists) and how he downplays the problem of security bugs, almost as if they were on
the verge of dying out because they're in fringe driver code and so rarely in core code. yeah,
of course they're rare if they don't publish the security impact of those bugs. watch this
quote:

  That being said, I have the impression that most of our "security holes"
  are bugs in ancient crufty old code, mainly drivers, which nobody runs
  and which nobody even loads. So most metrics and measurements on kernel
  security holes are, I believe, misleading and unuseful.

of course said "metrics and measurements" are "misleading and unuseful" if the kernel devs
falsify the input data.

"Stable" kernel 2.6.25.7 released

Posted Jun 18, 2008 16:55 UTC (Wed) by nix (subscriber, #2304) [Link] 

Sheesh. Dishonesty *implies* bad intent. If something is accidental or unintentional it's not
dishonest.

(Quibbling over the meanings of words only works if you know what the meanings of those words
actually *are*.)

"Stable" kernel 2.6.25.7 released

Posted Jun 18, 2008 17:47 UTC (Wed) by PaXTeam (subscriber, #24616) [Link] 

> (Quibbling over the meanings of words only works if you know what the
> meanings of those words actually *are*.)

hear hear brother! and let me help you out while i'm at it:
http://dictionary.reference.com/search?q=malice . malice requires intent to harm another out
of hostility, or something like that, you're the native speaker, i'm sure you can interpret it
properly. now, the kernel devs did not actually want to do anything like that, they simply
wanted to save face and look better in statistics, or so. that's not malice, only dishonesty
(they did know what they committed to in Documentation/SecurityBugs and did violate that
promise).

> If something is accidental or unintentional it's not dishonest.

strawman warning ;)! the suppression of security info in the commits we pointed out as such
was neither accidental nor unintentional (nor malicious, just dishonest), so i have no idea
what you're talking about.

"Stable" kernel 2.6.25.7 released

Posted Jun 19, 2008 9:47 UTC (Thu) by nix (subscriber, #2304) [Link] 

If you're not a native speaker, might I suggest *not* engaging in vast flamewars based solely
on parsing fine details of the meanings of words?

(Sheesh.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds