LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Self interest

Self interest

Posted Jul 21, 2008 7:16 UTC (Mon) by PaXTeam (subscriber, #24616)
In reply to: Self interest by nix
Parent article: Handling kernel security problems 

> Most of your evidence was on private mailing lists: there's no way we
> could do that. (The word 'evidence isn't even really appropriate here.)

actually, pretty much nothing was. we explicitly showed you commits and corresponding
bugzilla/etc entries where the discrepancy should have at least raised a curious "yeah,
really, what's up with that?" and resulted in your asking further questions to the devs
themselves. and your reaction to that? let's see http://lwn.net/Articles/286405/ :

   Mostly I'm not interested enough to bother people over it.

and *then* you still continued to attack the characters of people for *weeks* and even *now*
you keep arguing that truth is decided by who says it, not by the supporting facts. that's as
absurd and irrational as it can get.

> Thus all we really have to go on is the word and character of the
> participants.

really, you *have* to? as if there were no alternative. you're just trying to explain your
behaviour instead of apologizing for it (ah yes, that's part of adulthood too, you know,
although you'll probably not find it in the dictionary that you seem to be so attached to).

as a final note i'd like to make an observation in that the most or even all voracious ad
hominem attacks came from anonymous posters such as yourselves. something to remind yourself
next time you divide the 'security people' into black and white categories as somewhere above
(i'm not into security by the way, just a web programmer).

(Log in to post comments)

Self interest

Posted Jul 21, 2008 7:46 UTC (Mon) by nix (subscriber, #2304) [Link] 

I'm not saying that truth is determined by who says it, nor have I ever. 
What I'm saying is that *when a lot of evidence is invisible* (as was the 
case with yours despite your protestations), people *will* use the 
characters of the arguers in determining the probable truth or falsity of 
their statements.

Fallacy or not, *this is the way people think*, and if you want to have 
anyone believe anything you say in future, remembering this might be wise.

Right now I wouldn't believe you if you said the sky was blue, unless 
confirmed by independently available evidence. Your every action 
screams 'bias' (because all we have available is your words, and your 
words are every bit as rife with ad hominem attacks as they were when this 
mess started).

Self interest

Posted Jul 21, 2008 12:36 UTC (Mon) by zooko (subscriber, #2589) [Link] 

From my perspective, it seems like it would be nice for someone to do the work of identifying
security bugs specifically and explaining, for each one, what sort of situations expose the
user to danger, how to work-around it, and what patch(es) fix it.

We've already heard that GregKH and Linus aren't going to do that.

Perhaps there's an opportunity for some other motivated, skilled person to offer that service?

Such a service would help some users manage their risks better, and it would provide a
valuable "feedback loop" to the kernel developers by documenting the issues.

Self interest

Posted Jul 21, 2008 12:46 UTC (Mon) by PaXTeam (subscriber, #24616) [Link] 

yes, it would be the next step after the already known security issues are acknowleged at
least. since such research requires full staff, the Linux vendors are in the best position to
fund such a service.

Self interest

Posted Jul 21, 2008 13:44 UTC (Mon) by nix (subscriber, #2304) [Link] 

Excellent idea. However, if the distro vendors did this, they'd probably 
do it for their stable enterprise kernels, as those are the kernels their 
paying customers use (and also kernels that change slowly enough that this 
sort of fine tooth-combing is possible).

I wish this sort of thing was possible to fund with the raging high-speed 
chaos that is upstream kernels but I have a feeling that it isn't :/ 
still, hopefully if this were done *some* of the holes that were found in 
distro kernels might still be applicable upstream.

(disclaimer: I have no input into funding decisions anywhere at all nor 
ever have had. This is purest speculation.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds