LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

security holes in Linux

security holes in Linux

Posted Jul 15, 2008 22:26 UTC (Tue) by zooko (subscriber, #2589)
In reply to: Stable kernel 2.6.25.11 by spender
Parent article: Stable kernel 2.6.25.11 

I hate to see angry messages on LWN.net (although I have to admit that, even while angry, the
current posters are making more useful points than I see on most other web fora).

I like the note at the top of the LWN.net comment editor page: "Please try to be polite,
respectful, and informative".

Let me point out that this isn't so much an issue of Good vs. Evil as much as a question of
different people having different needs.  The Linux kernel does a fine job of evolving
quickly, supporting lots of hardware, improving the common cases of performance issues, and so
forth.  There are plenty of people whose security needs can be aptly summed up as "Whatever my
distribution and the Linux core team think is best is probably good enough.".  Those people
have no need for more specific information about vulnerabilities, and would not be able to use
that information if they had it.  Perhaps they are using Linux exclusively on non-networked,
single-user jobs, for example.

It's not that those people *ought* to value specific security vulnerability disclosures more
than they do -- it's just that they personally have no need of such disclosures.

On the other hand there are people who do need more specific information.  They may be
responsible for networked, multi-user Linux installations with great value at stake, for
example.  They may need, and know how to use, vulnerability disclosures in precise detail as
to the window of vulnerability and how to fix or workaround each issue.  As far as I currently
understand it, those people are not being served.

Now again, this isn't a matter of Good vs. Evil.  Linus, and GregKH, and the rest of the Linux
folks have no moral obligation to provide what those folks need.  If Linus and company care to
start providing it, that would be fine.  If not, then perhaps someone else (such as PaXTeam
and his partners) would provide that information about Linux, or perhaps those users would be
better off if they switched from Linux to Solaris or OpenBSD or something.

But again, for the third time, those users switching from Linux to Solaris or OpenBSD or
something would not be an Evil.  The world would not become a worse place.  Indeed, if the
maintainers of those other operating systems were better prepared to provide the kind of
service that those users need, then the world would be a better place.

For what it is worth I have worked in computer security for a long time, and for years I
tended to assume that my peers who insisted on running only OpenBSD or FreeBSD and refused to
rely on Linux for security were just being show-offs.  Nowadays I'm beginning to think that
they had justification for their choice.

Regards,

Zooko

P.S.  Just to make sure everyone got the point, if it is true, as I just alleged, that many
open-source-loving computer security professionals refuse to trust Linux's security, then this
is not Evil.  It's no big deal.  They get along fine in their jobs and you get along fine in
yours, so when replying to this note, please try to be polite, respectful, and informative.

(Log in to post comments)

security holes in Linux

Posted Jul 15, 2008 22:53 UTC (Tue) by spender (subscriber, #23067) [Link] 

I understand the point you're making, and it actually illustrates part of the problem here.
In order to make those kinds of informed decisions about which OS to use, for example, the
people providing the options have to be honest about what they're actually providing.  In the
case we have now with the Linux kernel, on paper they're saying they provide full disclosure
of security bugs, and sometimes we do see CVE and other security-related information in
changelogs (http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6... just taken as a
random example) but now we find out that in reality, non-disclosure seems to be their general
policy (except for the small percentage of vulnerabilities Linus says the vendors report on).
As evidenced by some of the comments in denial on previous postings, I think some are probably
surprised now at how things really are.

So as the PaX Team is asking on LKML, there are two solutions to the problem.  Either of them
will help people make better decisions regarding security: revise their written policy of
full-disclosure to reflect their real policy of non-disclosure, or change their real policy to
reflect what has been their written policy since 2005.

-Brad

security holes in Linux

Posted Jul 15, 2008 23:26 UTC (Tue) by nix (subscriber, #2304) [Link] 

I note the absence of anything in Documentation/SecurityBugs binding the 
Linux kernel hackers to *anything*. All it describes is the way that bugs 
sent to the *kernel security team* are managed. I see nothing that says 
that security bugs described anywhere *else* need to be handled in any 
particular way, or that anyone else involved with the kernel needs to pay 
the document any attention at all.

(Perhaps the file needs to say more clearly that this is not a security 
policy for the kernel, just a place to which people can report security 
bugs if they'd rather not get the standard Linus kill-it-now approach.)

I think this has all been a giant misreading from the start.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds