LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Kernel security, year to date

Kernel security, year to date

Posted Sep 12, 2008 3:22 UTC (Fri) by eteo (guest, #36711)
In reply to: Kernel security, year to date by dlang
Parent article: Kernel security, year to date

> because of this good guys need to apply all the patches, not try to
> cherry-pick the ones that they think are 'important'. If they want to do
> so (distros for example), they need to investigate _every_ patch to see
> if it has security implications or not. tagging some of them as having
> security implications strongly implies that ones that are not tagged do
> not have security implications, and that is incorrect.

Realistically, most good guys don't do that. As I mentioned in my previous reply, applying all patches may actually introduce possible instability and/or additional security bugs to the system.

> even if all the commit says is 'this is important for security' the fact
> that the details of the fix are directly attached to the comment makes
> it pretty easy for the bad guy to focus their exploit effort.

Obscurity does not prevent the bad guys from focusing their exploit effort. It only slows them down a little. By making the commit of security-relevant bugs a little more obvious, it may actually reduce the value of these vulnerabilities.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds