LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Stable kernel 2.6.25.10

Stable kernel 2.6.25.10

Posted Jul 4, 2008 14:31 UTC (Fri) by zakalwe2 (guest, #50472)
In reply to: Stable kernel 2.6.25.10 by ledow
Parent article: Stable kernel 2.6.25.10 

For a start, he's not crying wolf.  It's pretty clear from his posts that these issues are
real.

The majority of the people who understand these security issues are actively trying to abuse
them.  The kernel developers either wish to down play the situation so linux doesn't look bad,
don't understand, or do understand but have undeclared motives.  It's the PaXTeam and spender
who are exposing the seriousness of the situation.  Not only that, they are the ones that have
been pioneering practical exploit mitigation for the last 7-8 years openly, and for free. PaX
features have ended up in every other OS but end up in linux last and watered down. To label
his comments on linux security as spam is ridiculous quite frankly.

FWIW all my dealings with the PaXTeam and spender have been exemplary.  Any issue I've had was
answered or fixed unbelievably quickly.  They are extremely helpful when approached, yet afaik
no kernel developer has ever actually approached them.  The only difficiency in their approach
is that they spend time dealing with trolls like you.

A certain kernel developer said that the kernel land ssp implementation would have mitigated
the vmsplice exploit earlier in the year.  The PaXTeam showed (on lkml) that it didn't even
work as intended, fixed it and explained it's shortcomings.  I don't think this has even been
fixed upstream, months later.

Also, this is not a "random website". It's a (the?) site dedicated to helping users and
developers digest what's happening in the linux world and discuss it.  Not everyone can follow
lkml.

(Log in to post comments)

Stable kernel 2.6.25.10

Posted Jul 5, 2008 16:57 UTC (Sat) by tialaramex (subscriber, #21167) [Link] 

We know that they cry wolf because we've watched it happen.

In http://lwn.net/Articles/286321/ I demolished spender's analysis of a "trivially
exploitable" bug that hadn't been fixed in stable, and in the follow-up it was revealed that
he hadn't even been looking at stable, but rather at an unreleased kernel tree. I'm no
security expert, just an ordinary engineer who prefers to read for himself rather than
trusting what he's told by self-declared experts. Spender offered no reply, do you think he'd
have pointed out his (very serious) error voluntarily?

Anyone who knows the status of PaX can judge for themselves whether a motive exists for PaX
supporters to rubbish the 2.6 stable series here rather than actually engage with developers.

Stable kernel 2.6.25.10

Posted Jul 8, 2008 1:30 UTC (Tue) by hawk (subscriber, #3195) [Link] 

Well, I for one also find the recurring flood of comments by PaXTeam a bit tiresome.

I'm not saying that they are wrong about there being a problem but there are some serious
issues with their presentation and attitude.

For one thing, why make this into some sort of conspiracy theory?!


If they think that LWN is a good place to bring the subject up, I think they should consider
writing and submitting an actual article instead of flooding the comment section of kernel
release news items over and over and over and over and over and over and over and over and
over and over and over again.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds