LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Stable kernel 2.6.25.10

Stable kernel 2.6.25.10

Posted Jul 3, 2008 17:07 UTC (Thu) by gregkh (subscriber, #8)
In reply to: Stable kernel 2.6.25.10 by PaXTeam
Parent article: Stable kernel 2.6.25.10 

> Greg,

Once again, if you have any comments, questions, or concerns about how I and the other kernel
developers are handling the -stable updates and notifications, please do so on the
linux-kernel mailing list and I will be very glad to discuss them there, in public.

> instead of witchhunting on vendor-sec

I'm confused, what do you mean by this?

(Log in to post comments)

Stable kernel 2.6.25.10

Posted Jul 3, 2008 17:21 UTC (Thu) by PaXTeam (subscriber, #24616) [Link] 

Greg,

you probably misunderstood me. i do *not* care about the disclosure policy you choose (*that*
discussion is something *you* kernel devs have to have, i have zero influence on it). what i
do care about is that once you decided it, you stick to it and when you don't (remember, it's
supposedly still 'full disclosure' as of now), i'll point it out. in any case, if you really
really want me to get involved in all this (i very much doubt you do, but you can prove
yourself now), start that thread yourself and CC spender and me.

> > instead of witchhunting on vendor-sec
> I'm confused, what do you mean by this?

make the vendor-sec archives public and i'll explain. deal? ;)

Stable kernel 2.6.25.10

Posted Jul 3, 2008 17:51 UTC (Thu) by gregkh (subscriber, #8) [Link] 

> if you really really want me to get involved in all this (i very much doubt
> you do, but you can prove yourself now), start that thread yourself and CC
> spender and me.

Sure, email addresses to cc:?

> > instead of witchhunting on vendor-sec
> I'm confused, what do you mean by this?
make the vendor-sec archives public and i'll explain. deal? ;)

I have no control over vendor-sec archives.

If you disagree with this policy, bring it up on vendor-sec, where it
can be discussed and possibly changed.

Stable kernel 2.6.25.10

Posted Jul 3, 2008 18:09 UTC (Thu) by PaXTeam (subscriber, #24616) [Link] 

pageexec@freemail.hu (spender chose not to be CC'd in the end)

> If you disagree with this policy,

i don't agree with it (nor with the secrecy and corresponding unaccountability of other lists
like the kernel security one)

> bring it up on vendor-sec, where it can be discussed and possibly changed.

it can be discussed, but it can't possibly be changed, and you know that full well. case in
point, you guys decided against letting in individual researchers on vendor-sec. how could you
possibly agree on opening up the same discussions these private researchers would have been
privy to then? obviously you will never do that and there's no point in having fake
discussions whose outcome has already been decided.

Stable kernel 2.6.25.10

Posted Jul 4, 2008 9:36 UTC (Fri) by PaXTeam (subscriber, #24616) [Link] 

> Once again, if you have any comments, questions, or concerns about how I
> and the other kernel developers are handling the -stable updates and
> notifications, please do so on the linux-kernel mailing list and I will
> be very glad to discuss them there, in public.

so, i did just that yesterday. note that you might want to fix your spam filters because i
didn't see my mail show up in the archives nor did i get a bounce. but at least the
individuals on CC (yourself included) should have got it. for reference for others in case it
doesn't make it into the archives:

On 3 Jul 2008 at 11:57, Greg KH wrote:

> On Thu, Jul 03, 2008 at 10:29:14AM -0700, Greg KH wrote:
> Adding 2 more addresses to this thread, as they were said to have
> questions about this kernel release.

not only this one, but every commit for the past few years that fixed
bugs with security impact. for reference:

http://lwn.net/Articles/285438/
http://lwn.net/Articles/286263/
http://lwn.net/Articles/287339/
http://lwn.net/Articles/288473/

> Again, if the above information is somehow insufficient as to what
> exactly is fixed in the -stable releases, and anyone has questions about
> how these release announcements are created, please let me know.

what is the disclosure policy used for commits fixing bugs with security
impact (both vanilla and -stable, especially if there's a difference)?

what do you include/omit?

how does it relate to what is declared in Documentation/SecurityBugs?

Stable kernel 2.6.25.10

Posted Jul 5, 2008 15:53 UTC (Sat) by bfields (subscriber, #19510) [Link] 

"note that you might want to fix your spam filters because i
didn't see my mail show up in the archives nor did i get a bounce."

Email postmaster at vger--I've had trouble with their spam filters once or twice and found
them to be very responsive.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds