LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Stable kernel 2.6.25.10

Stable kernel 2.6.25.10

Posted Jul 4, 2008 11:01 UTC (Fri) by ledow (guest, #11753)
Parent article: Stable kernel 2.6.25.10 

Personally, I'm beginning to find the comments by PaXTeam on every single kernel release more
than a little tiring, especially seeing as I don't see dialogue about these issues anywhere
else.

I'm only a user, but I *do* think PaXTeam may have a point (although for 99% of end-users,
just the fact that they need to upgrade is sufficient, not the exact details of why).  The
problem is that PaXTeam is stating it very poorly and coming across as "superior to all", and
doing so in the wrong place repeatedly.  This is making people like myself tune such comments
out.  This is counter-acting any possible good they think they are doing by bringing this
information to the world - the boy who cried wolf and all that.

Please, do something other than post to random websites - put up a page on a blog listing your
concerns that people who are interested can read, post links to it on the LKML, anything, but
stop spamming every single kernel announcement on an otherwise relatively-spam-free website.

You've been given an opportunity for dialogue several times and it looks like you've finally
taken it up.  Please let this be the end of the matter because anyone interested in the kernel
maintainers responses can view them, or look for your website/blog and keep track.

(Log in to post comments)

Stable kernel 2.6.25.10

Posted Jul 4, 2008 14:31 UTC (Fri) by zakalwe2 (guest, #50472) [Link] 

For a start, he's not crying wolf.  It's pretty clear from his posts that these issues are
real.

The majority of the people who understand these security issues are actively trying to abuse
them.  The kernel developers either wish to down play the situation so linux doesn't look bad,
don't understand, or do understand but have undeclared motives.  It's the PaXTeam and spender
who are exposing the seriousness of the situation.  Not only that, they are the ones that have
been pioneering practical exploit mitigation for the last 7-8 years openly, and for free. PaX
features have ended up in every other OS but end up in linux last and watered down. To label
his comments on linux security as spam is ridiculous quite frankly.

FWIW all my dealings with the PaXTeam and spender have been exemplary.  Any issue I've had was
answered or fixed unbelievably quickly.  They are extremely helpful when approached, yet afaik
no kernel developer has ever actually approached them.  The only difficiency in their approach
is that they spend time dealing with trolls like you.

A certain kernel developer said that the kernel land ssp implementation would have mitigated
the vmsplice exploit earlier in the year.  The PaXTeam showed (on lkml) that it didn't even
work as intended, fixed it and explained it's shortcomings.  I don't think this has even been
fixed upstream, months later.

Also, this is not a "random website". It's a (the?) site dedicated to helping users and
developers digest what's happening in the linux world and discuss it.  Not everyone can follow
lkml.

Stable kernel 2.6.25.10

Posted Jul 5, 2008 16:57 UTC (Sat) by tialaramex (subscriber, #21167) [Link] 

We know that they cry wolf because we've watched it happen.

In http://lwn.net/Articles/286321/ I demolished spender's analysis of a "trivially
exploitable" bug that hadn't been fixed in stable, and in the follow-up it was revealed that
he hadn't even been looking at stable, but rather at an unreleased kernel tree. I'm no
security expert, just an ordinary engineer who prefers to read for himself rather than
trusting what he's told by self-declared experts. Spender offered no reply, do you think he'd
have pointed out his (very serious) error voluntarily?

Anyone who knows the status of PaX can judge for themselves whether a motive exists for PaX
supporters to rubbish the 2.6 stable series here rather than actually engage with developers.

Stable kernel 2.6.25.10

Posted Jul 8, 2008 1:30 UTC (Tue) by hawk (subscriber, #3195) [Link] 

Well, I for one also find the recurring flood of comments by PaXTeam a bit tiresome.

I'm not saying that they are wrong about there being a problem but there are some serious
issues with their presentation and attitude.

For one thing, why make this into some sort of conspiracy theory?!


If they think that LWN is a good place to bring the subject up, I think they should consider
writing and submitting an actual article instead of flooding the comment section of kernel
release news items over and over and over and over and over and over and over and over and
over and over and over again.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds