| |||||||||||||
Self interestSelf interestPosted Jul 17, 2008 20:46 UTC (Thu) by corbet (editor, #1)In reply to: Handling kernel security problems by zooko Parent article: Handling kernel security problems You know, we're all acting out of self interest. If the motivation is purely a more secure kernel and more information about when it's not secure, that's still self interest. As for what was in the article, I said that a suitably cynical mind could see their actions as furthering the interest of their project. That is demonstrably true: that idea was raised in the discussion. To mention that is, I think, is along the same lines as covering the accusations that Linux developers are deliberately hiding security problems (out of their self interest, no doubt). Those charges, too, can be seen as insulting. Should I have covered one side and not the other? That said, maybe I should have left that sentence out. It lacks relevance to the real issues at hand. This kind of article is quite hard to write (gnarly technical stuff is much easier); I don't always get it perfectly right.
(Log in to post comments)
Self interest Posted Jul 17, 2008 21:02 UTC (Thu) by PaXTeam (subscriber, #24616) [Link] > As for what was in the article, I said that a suitably cynical mind > could see their actions as furthering the interest of their project. > That is demonstrably true: that idea was raised in the discussion. Ted raised it once and when i asked him for what he really meant, i got no response (i bet you too won't tell me what on earth i was supposed to gain from all this). on the other hand, i did explain, far too many times for my taste, how kernel devs covered up security bugs. i don't see how that's insulting when they even admitted it themselves. most of the discussion was all about their trying to justify that fact, not disputing it. see the difference?
Self interest Posted Jul 17, 2008 22:53 UTC (Thu) by nix (subscriber, #2304) [Link] No. You called them 'cover ups'. 'Cover up' in English implies not just intent but *malicious* intent, and you have proven no such thing, despite repeated assertions to the contrary.
Self interest Posted Jul 17, 2008 23:47 UTC (Thu) by spender (subscriber, #23067) [Link] 1 a: a device or stratagem for masking or concealing <his garrulousness is a coverup for insecurity> b: a usually concerted effort to keep an illegal or unethical act or situation from being made public 1. any action, stratagem, or other means of concealing or preventing investigation or exposure. to keep (something unpleasant) secret or hidden an attempt to prevent the public from discovering information about a serious crime or mistake to stop people discovering the truth about something bad Where did your definition come from? I doubt you pay the $295/year for a subscription to OED and that its definition differs in the way you hope. No maliciousness mentioned there in any definition I can find. Didn't we already tell you weeks ago you don't know the meaning of the words you use? Language is not private (go read some Wittgenstein). You can't just decide a certain word means something differently than the rest of the world recognizes it. When you do that, you gibber (read Clive Bell). Here you come up with your own meaning for the word, and then attack the PaX team because their claims meet up to their definition and the definition of everyone else in the world, but not to your contrived definition. Especially when we've already made clear several times in what way we mean coverup (which as you can see above, matches the accepted definition, as well as common usage of the term), your continued comments regarding it are just irresponsible and reckless. -Brad
Self interest Posted Jul 18, 2008 21:36 UTC (Fri) by man_ls (subscriber, #15091) [Link] On the contrary, nix has a splendid command of the English language. In this particular case he is spot-on, as has been sufficiently proved.
Self interest Posted Jul 18, 2008 21:51 UTC (Fri) by nix (subscriber, #2304) [Link] I'm trying to train myself out of responding to them. Security people tend to fall into two categories, charming and horrible, without many in the middle. tytso and Wietse Venema are examples of the charming type... Of course people can be quite different in person than on the net. I hope this is true here too.
Self interest Posted Jul 20, 2008 22:17 UTC (Sun) by PaXTeam (subscriber, #24616) [Link] while you two are celebrating i-don't-know what, let me remind the readers of this thread what these two geniuses said in the recent past. nix in http://lwn.net/Articles/286336/: In fact your interpretation makes no sense at all: why would people spend time coordinating to hide security holes when knowingly doing that could have no consequence other than to harm the reputation of the system they're working on? Doing that would be ridiculous. Ergo, they aren't doing that: there is no magically coordinated decision to fix security holes while hiding them by the single means of describing them differently in commit logs, no conspiracy, no bad intent. man_ls in http://lwn.net/Articles/286629/: Yes: do not hide bugs and do not hide security implications. "Do not hide" is the relevant part here. contrast that with what Linus and others said and think about who's played the fool here all this time ;).
Self interest Posted Jul 20, 2008 22:49 UTC (Sun) by man_ls (subscriber, #15091) [Link] We were celebrating that, no matter who's right, you can have a civilized discussion on the net where all parties implied learn something. Sadly this becomes very difficult as soon as some party enters the discussion calling names and behaving like teenagers.The way to adulthood usually is that first you learn how to behave and to respect your fellows, and then you can discuss whatever you like. Please do so; we don't need another De Raadt.
Self interest Posted Jul 20, 2008 23:27 UTC (Sun) by PaXTeam (subscriber, #24616) [Link] the thing is, right from the start you did not have a civilized discussion, i believe you see that yourselves now in hindsight. the lesson for you is that next time before you question the messengers, you should look at the message and do some background research yourselves before you engage them. in other words, ad hominem attacks are not conductive to your civilized discussion no matter how much you talk about adulthood and respect to your fellows later.
Self interest Posted Jul 21, 2008 6:15 UTC (Mon) by nix (subscriber, #2304) [Link] Most of your evidence was on private mailing lists: there's no way we could do that. (The word 'evidence isn't even really appropriate here.) Thus all we really have to go on is the word and character of the participants. Let's see, you or Linus. Boy, I wonder, *that's* a hard choice. After all you've been acting in a way so sure to make people believe every word you say. (Yes, the way you say things *does* matter. I dislike it too sometimes, but it's human nature.)
Self interest Posted Jul 21, 2008 7:16 UTC (Mon) by PaXTeam (subscriber, #24616) [Link] > Most of your evidence was on private mailing lists: there's no way we > could do that. (The word 'evidence isn't even really appropriate here.) actually, pretty much nothing was. we explicitly showed you commits and corresponding bugzilla/etc entries where the discrepancy should have at least raised a curious "yeah, really, what's up with that?" and resulted in your asking further questions to the devs themselves. and your reaction to that? let's see http://lwn.net/Articles/286405/ : Mostly I'm not interested enough to bother people over it. and *then* you still continued to attack the characters of people for *weeks* and even *now* you keep arguing that truth is decided by who says it, not by the supporting facts. that's as absurd and irrational as it can get. > Thus all we really have to go on is the word and character of the > participants. really, you *have* to? as if there were no alternative. you're just trying to explain your behaviour instead of apologizing for it (ah yes, that's part of adulthood too, you know, although you'll probably not find it in the dictionary that you seem to be so attached to). as a final note i'd like to make an observation in that the most or even all voracious ad hominem attacks came from anonymous posters such as yourselves. something to remind yourself next time you divide the 'security people' into black and white categories as somewhere above (i'm not into security by the way, just a web programmer).
Self interest Posted Jul 21, 2008 7:46 UTC (Mon) by nix (subscriber, #2304) [Link] I'm not saying that truth is determined by who says it, nor have I ever. What I'm saying is that *when a lot of evidence is invisible* (as was the case with yours despite your protestations), people *will* use the characters of the arguers in determining the probable truth or falsity of their statements. Fallacy or not, *this is the way people think*, and if you want to have anyone believe anything you say in future, remembering this might be wise. Right now I wouldn't believe you if you said the sky was blue, unless confirmed by independently available evidence. Your every action screams 'bias' (because all we have available is your words, and your words are every bit as rife with ad hominem attacks as they were when this mess started).
Self interest Posted Jul 21, 2008 12:36 UTC (Mon) by zooko (subscriber, #2589) [Link] From my perspective, it seems like it would be nice for someone to do the work of identifying security bugs specifically and explaining, for each one, what sort of situations expose the user to danger, how to work-around it, and what patch(es) fix it. We've already heard that GregKH and Linus aren't going to do that. Perhaps there's an opportunity for some other motivated, skilled person to offer that service? Such a service would help some users manage their risks better, and it would provide a valuable "feedback loop" to the kernel developers by documenting the issues.
Self interest Posted Jul 21, 2008 12:46 UTC (Mon) by PaXTeam (subscriber, #24616) [Link] yes, it would be the next step after the already known security issues are acknowleged at least. since such research requires full staff, the Linux vendors are in the best position to fund such a service.
Self interest Posted Jul 21, 2008 13:44 UTC (Mon) by nix (subscriber, #2304) [Link] Excellent idea. However, if the distro vendors did this, they'd probably do it for their stable enterprise kernels, as those are the kernels their paying customers use (and also kernels that change slowly enough that this sort of fine tooth-combing is possible). I wish this sort of thing was possible to fund with the raging high-speed chaos that is upstream kernels but I have a feeling that it isn't :/ still, hopefully if this were done *some* of the holes that were found in distro kernels might still be applicable upstream. (disclaimer: I have no input into funding decisions anywhere at all nor ever have had. This is purest speculation.)
Self interest Posted Jul 21, 2008 12:01 UTC (Mon) by man_ls (subscriber, #15091) [Link] Actually, in hindsight we (nix and others) were mostly right in our assumptions: kernel devs are not actively hiding security issues, but they are not actively researching them either, and they are not very good at that kind of research. The "kernel security policy" you waived in our collective faces is no such kernel security policy, but a policy for a certain mailing list. And so on.Unsurprisingly you did not learn anything from the discussion and had to go to lkml, where you were told essentially the same thing. Now our grumpy editor has dedicated a full article to the same issues from where (unsurprisingly) you came out as unenlighted as before. As to "questioning the messengers" it is always a healthy exercise and it would not be wise to stop doing it. If you are not up to such questioning then maybe your case is not that clear. I will not go into your accussations of ad hominem since they are completely unfounded.
|
|||||||||||||