|| ||Theodore Tso <tytso-AT-mit.edu>|
|| ||Re: [stable] Linux 126.96.36.199|
|| ||Tue, 15 Jul 2008 22:28:44 +0200|
|| ||Linus Torvalds <torvalds-AT-linux-foundation.org>,
Greg KH <greg-AT-kroah.com>,
Andrew Morton <akpm-AT-linux-foundation.org>,
On 15 Jul 2008 at 14:33, Theodore Tso wrote:
> On Tue, Jul 15, 2008 at 05:31:09PM +0200, email@example.com wrote:
> > obviously there *is* a policy, it's just not what you guys declared
> > earlier in Documentation/SecurityBugs. would you care to update it
> > or, more properly, remove it altogether as it currently says:
> Hi, so I'm guessing you're new to the Linux kernel.
not that new, just not a subscriber, but i've been following it on and
off for many years now. just a few comments below:
> What you are
> missing is while *Linus* is unwilling to play the disclosure game,
> there are kernel developers (many of whom work for distributions, and
> who *do* want some extra time to prepare a package for release to
> their customers) who do. So what Linus has expressed is his personal
> opinion, and he is simply is not on any of the various mailing lists
> that receive limited-disclosure information, such as the general
> firstname.lastname@example.org mailing list, or the email@example.com list
> mentioned in Documentation/SecurityBugs.
he's on firstname.lastname@example.org i think.
> Both vendor-sec and email@example.com are not formal organizations,
> so they can not sign NDAs, but they will honor non disclosure
> requests, and the subscription list for both lists is carefully
> People like Linus who have a strong, principled stand for Full
> Disclosure simply choose not to request to be placed on those mailing
Linus has just explained that he does *not* have any stand on full
disclosure in fact, he prefers no disclosure.
> And if Linus finds out about a security bug, he will fix it
> and check it into the public git repository right away.
yes, he does that. what he doesn't do is mention the fact that he's
just fixed a security bug.
> The arguments about whether or not Full Disclosure is a good idea or
> not, and whether or not the "black hat" and "grey hat" and "white hat"
> security research firms are unalloyed forces for good, or whether they
> have downsides (and some might say very serious downsides) have been
> arguments that I have personally witnessed for over two decades
> (Speaking as someone who helped to dissect the Robert T. Morris
> Internet Worm in 1988, led the Kerberos development team at MIT for
> many years, and chaired the IP SEC Working Group for the IETF, I have
> more than my fair share of experience). It is clear that we're not
> going settle this debate now, and certainly not on the Linux Kernel
> Mailing List.
Ted, the discussion is *not* about what the best disclosure policy
would be for the kernel. the problem i raised was that there's one
declared policy in Documentation/SecurityBugs (full disclosure) yet
actual actions are completely different and now Linus even admitted
it. the problem arising from such inconsistency is that people relying
on the declared disclosure policy will make bad decisions and potentially
endanger their users. there're two ways out of this sitution: either
follow full disclosure in practice or let the world at large know
that you (well, Linus) don't want to. in either case people will adjust
their security bug handling processes and everyone will be better off.
to post comments)