| |||||||||||||
Does anyone know where we can find Chris Wright's sense of integrity?Does anyone know where we can find Chris Wright's sense of integrity?Posted Jul 19, 2008 1:24 UTC (Sat) by spender (subscriber, #23067)Parent article: Kernel security problems: a response
Chris Wright has been awfully silent recently. Did everyone forget that it was only a few weeks ago that Chris Wright had this to say: http://www.fotovallescrivia.it/public/news/linux.kernel/3... "it is not true that we are actively hiding security bugs. Had I realized there was a security issue, I would highlight it in the announce message. In fact, that's our standard procedure for -stable." I don't recall any public announcement of this rather dramatic reversal of policy. Might have been a good idea to tell people. Also Greg, you should read my posting on the full-disclosure list regarding your use of the term "untrusted local users." Your usage of it is simply wrong from a security perspective and is misleading to users. "I think the individual developers of the kernel all know quite well what the security problems for their code are." You mean the same ones that thought NULL pointer dereference bugs were unexploitable until I produced an exploit for one that disabled SELinux and then continued to call them unexploitable over a year later? Those same ones? Meanwhile it seems like all the kernel developers are coming out of the woodwork echoing Linus' ridiculous "security bugs are no more important than any other bug" philosophy. It all seems rather odd, and smells badly of damage control happening behind the scenes, since this is the first time we've ever heard this from anyone. What's the matter, Chris? Redhat got you by the tongue? -Brad
(Log in to post comments)
Does anyone know where we can find Chris Wright's sense of integrity? Posted Jul 19, 2008 1:29 UTC (Sat) by spender (subscriber, #23067) [Link] BTW, I'm sure the (large) distributions are happy since they have access to the same private information you have access to but choose to omit, so of course they know what fixes are security fixes! (as far as your collective security bug-finding skills go, and that capability is debatable). -Brad
Does anyone know where we can find Chris Wright's sense of integrity? Posted Jul 19, 2008 10:05 UTC (Sat) by nix (subscriber, #2304) [Link] Chris hasn't posted to linux-kernel, or anywhere else that I can find, since Tue Jun 17. Now perhaps RH has muzzled him to such an extent that he's not allowed to use the net at all, specifically out of a desire to spite you. Or perhaps he's busy with something else, or on holiday. Normally one would consider the latter possibilities before leaping to the former. But then, you aren't a conspiracy theorist at *all*. Oh no.
Does anyone know where we can find Chris Wright's sense of integrity? Posted Jul 19, 2008 12:59 UTC (Sat) by spender (subscriber, #23067) [Link] If I were Chris, I wouldn't much appreciate the other man of a two man team completely reversing the -stable policy while I was away on vacation without talking to me at all about it, if that's indeed the case. That's pretty slimy, really. "Hi Chris, welcome back. While you were gone myself and the rest of the kernel developers decided that what you've been doing since 2005 just isn't important at all, and we're going to stop assisting you. Oh, and by the way, not a single kernel developer came out in support of you. We've decided that the new policy won't be what you declared the policy to be, and we've already informed the world of it without discussing it with you first." If it is the case that he's just on vacation, I hope that when he returns he gets things back to normal, and beyond that, expresses to the other kernel developer why their security-related opinions are just unacceptable. -Brad
|
|||||||||||||