Self interest [LWN.net]

Self interest

Posted Jul 20, 2008 22:17 UTC (Sun) by PaXTeam (subscriber, #24616) [Link]

while you two are celebrating i-don't-know what, let me remind the readers of this thread what
these two geniuses said in the recent past.

nix in http://lwn.net/Articles/286336/:
   In fact your interpretation makes no sense at all: why would people
   spend time coordinating to hide security holes when knowingly doing
   that could have no consequence other than to harm the reputation of
   the system they're working on? Doing that would be ridiculous. Ergo,
   they aren't doing that: there is no magically coordinated decision to
   fix security holes while hiding them by the single means of describing
   them differently in commit logs, no conspiracy, no bad intent.

man_ls in http://lwn.net/Articles/286629/:
   Yes: do not hide bugs and do not hide security implications. "Do not
   hide" is the relevant part here.

contrast that with what Linus and others said and think about who's played the fool here all
this time ;).

Self interest

Posted Jul 20, 2008 22:49 UTC (Sun) by man_ls (subscriber, #15091) [Link]

We were celebrating that, no matter who's right, you can have a civilized discussion on the net where all parties implied learn something. Sadly this becomes very difficult as soon as some party enters the discussion calling names and behaving like teenagers.

The way to adulthood usually is that first you learn how to behave and to respect your fellows, and then you can discuss whatever you like. Please do so; we don't need another De Raadt.

Self interest

Posted Jul 20, 2008 23:27 UTC (Sun) by PaXTeam (subscriber, #24616) [Link]

the thing is, right from the start you did not have a civilized discussion, i believe you see
that yourselves now in hindsight. the lesson for you is that next time before you question the
messengers, you should look at the message and do some background research yourselves before
you engage them. in other words, ad hominem attacks are not conductive to your civilized
discussion no matter how much you talk about adulthood and respect to your fellows later.

Self interest

Posted Jul 21, 2008 6:15 UTC (Mon) by nix (subscriber, #2304) [Link]

Most of your evidence was on private mailing lists: there's no way we 
could do that. (The word 'evidence isn't even really appropriate here.)

Thus all we really have to go on is the word and character of the 
participants. Let's see, you or Linus. Boy, I wonder, *that's* a hard 
choice. After all you've been acting in a way so sure to make people 
believe every word you say.

(Yes, the way you say things *does* matter. I dislike it too sometimes, 
but it's human nature.)

Self interest

Posted Jul 21, 2008 7:16 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]

> Most of your evidence was on private mailing lists: there's no way we
> could do that. (The word 'evidence isn't even really appropriate here.)

actually, pretty much nothing was. we explicitly showed you commits and corresponding
bugzilla/etc entries where the discrepancy should have at least raised a curious "yeah,
really, what's up with that?" and resulted in your asking further questions to the devs
themselves. and your reaction to that? let's see http://lwn.net/Articles/286405/ :

   Mostly I'm not interested enough to bother people over it.

and *then* you still continued to attack the characters of people for *weeks* and even *now*
you keep arguing that truth is decided by who says it, not by the supporting facts. that's as
absurd and irrational as it can get.

> Thus all we really have to go on is the word and character of the
> participants.

really, you *have* to? as if there were no alternative. you're just trying to explain your
behaviour instead of apologizing for it (ah yes, that's part of adulthood too, you know,
although you'll probably not find it in the dictionary that you seem to be so attached to).

as a final note i'd like to make an observation in that the most or even all voracious ad
hominem attacks came from anonymous posters such as yourselves. something to remind yourself
next time you divide the 'security people' into black and white categories as somewhere above
(i'm not into security by the way, just a web programmer).

Self interest

Posted Jul 21, 2008 7:46 UTC (Mon) by nix (subscriber, #2304) [Link]

I'm not saying that truth is determined by who says it, nor have I ever. 
What I'm saying is that *when a lot of evidence is invisible* (as was the 
case with yours despite your protestations), people *will* use the 
characters of the arguers in determining the probable truth or falsity of 
their statements.

Fallacy or not, *this is the way people think*, and if you want to have 
anyone believe anything you say in future, remembering this might be wise.

Right now I wouldn't believe you if you said the sky was blue, unless 
confirmed by independently available evidence. Your every action 
screams 'bias' (because all we have available is your words, and your 
words are every bit as rife with ad hominem attacks as they were when this 
mess started).

Self interest

Posted Jul 21, 2008 12:36 UTC (Mon) by zooko (subscriber, #2589) [Link]

From my perspective, it seems like it would be nice for someone to do the work of identifying
security bugs specifically and explaining, for each one, what sort of situations expose the
user to danger, how to work-around it, and what patch(es) fix it.

We've already heard that GregKH and Linus aren't going to do that.

Perhaps there's an opportunity for some other motivated, skilled person to offer that service?

Such a service would help some users manage their risks better, and it would provide a
valuable "feedback loop" to the kernel developers by documenting the issues.

Self interest

Posted Jul 21, 2008 12:46 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]

yes, it would be the next step after the already known security issues are acknowleged at
least. since such research requires full staff, the Linux vendors are in the best position to
fund such a service.

Self interest

Posted Jul 21, 2008 13:44 UTC (Mon) by nix (subscriber, #2304) [Link]

Excellent idea. However, if the distro vendors did this, they'd probably 
do it for their stable enterprise kernels, as those are the kernels their 
paying customers use (and also kernels that change slowly enough that this 
sort of fine tooth-combing is possible).

I wish this sort of thing was possible to fund with the raging high-speed 
chaos that is upstream kernels but I have a feeling that it isn't :/ 
still, hopefully if this were done *some* of the holes that were found in 
distro kernels might still be applicable upstream.

(disclaimer: I have no input into funding decisions anywhere at all nor 
ever have had. This is purest speculation.)

Self interest

Posted Jul 21, 2008 12:01 UTC (Mon) by man_ls (subscriber, #15091) [Link]

Actually, in hindsight we (nix and others) were mostly right in our assumptions: kernel devs are not actively hiding security issues, but they are not actively researching them either, and they are not very good at that kind of research. The "kernel security policy" you waived in our collective faces is no such kernel security policy, but a policy for a certain mailing list. And so on.

Unsurprisingly you did not learn anything from the discussion and had to go to lkml, where you were told essentially the same thing. Now our grumpy editor has dedicated a full article to the same issues from where (unsurprisingly) you came out as unenlighted as before.

As to "questioning the messengers" it is always a healthy exercise and it would not be wise to stop doing it. If you are not up to such questioning then maybe your case is not that clear. I will not go into your accussations of ad hominem since they are completely unfounded.