The 2002 Linux Kernel Developers' Summit was held June 24 and 25
in Ottawa, Ontario. At this event, a number of issues relevant to the
latter part of the 2.5 development series were worked out. LWN's Jonathan
Corbet was there, and has written up the experience.
- Day One covered the Hammer port, kernel
parameters, rationalizing the loadable module mechanism, virtual
memory, and the block I/O subsystem.
- Day Two was dedicated to what database
systems need from Linux, HP's kernel wishlist, the Loadable Security
Module, asynchronous I/O, SCSI, and the kernel release process. Among
other things, a firm date has been set for the 2.6 feature freeze.
Look inside the individual days' coverage for the details.
Comments (1 posted)
Internet Security Systems, which has been feeling quite a bit of heat for
its premature revelation of the Apache "chunk handling" vulnerability,
posted an "advisory response
" to defend
itself on June 21. It is an interesting bit of excuse-making, with
references to available patches and "Presidential Decision Directive 63."
Buried deep within, however, is an interesting claim:
Due to the general nature of open-source and its openness, the
virtual organizations behind the projects do not have an ability to
enforce strict confidentiality. By notifying the open source
project, its nature is that the information is quickly spread in
the wild disregarding any type of quiet period. ISS X-Force
minimizes the quiet period and delay of protecting customers by
providing a security patch.
This is quite a claim: ISS is telling us that free software projects can
not be trusted with information on vulnerabilities in their own code.
It would be most interesting to see the evidence from ISS to back up this
claim. Most free software developers (though there are always exceptions)
are greatly concerned about potential vulnerabilities in their code. They
care about their users, and will do their best to get a real, tested fix
out before spreading the word of the vulnerability. It is not in the
nature or interests of free software developers to put their users at
That said, there are things that free software projects could do to help
people who discover vulnerabilities. The most important thing would be to
make it clear who should be contacted when a vulnerability is found. After
all, sending the notification to a general project mailing list is not
usually what one wants to do. But many or most project web pages offer
little help to somebody wondering how to report a security hole.
Any development project which would prefer not to learn about its own
security problems on Bugtraq must make an effort to do better. The
project documentation and web site should offer clear contact instructions
for the reporting of security problems. The security contacts should know
how to respond quickly to reports, and have the ability to get a patch out
to users. The procedures for responding to a security problem need to be
worked out before the next vulnerability turns up.
There is no reason why free software project development teams can not be at least as
trustworthy as proprietary vendors when it comes to vulnerability
information. Claims that free software developers have overly loose
lips are not justifyable. But developers who want to be given a chance to
fix their holes before they become public need to take steps to show that
they are serious about security, and they should make it easy for people to report the problems that are found.
Comments (1 posted)
When LWN switched over to the new site a few weeks ago, some of our readers worried that
the comment posting facility would bring about the end of the Letters to
the Editor page. After all, why bother writing a letter when it is easy to
attach comments directly to articles? That was not a consequence that we
had feared, but now we are beginning to wonder - no letters to the editor
have been received this week. Thus, there is no letters page in this
For the most part, we have been pleased with how the comments feature has
worked out so far. There have not been huge numbers of comments, but most
of those we have seen have been of high quality. Our trust in our readers
has proved itself justified - most of the time.
We did not want to drop the Letters to the Editor page, however. The
Letters page has, over the years, been a valuable source of feedback and a
place for LWN readers to express their opinions. So we hope that this
week's lull proves to be a temporary thing; perhaps all of our letter
writers are at OLS this week. If you have an opinion on something that you
would like to see published, please do not hesitate to send it our way;
letters should be sent to email@example.com
Comments (12 posted)
Page editor: Rebecca Sobol
Inside this week's LWN.net Weekly Edition
- Security: OpenSSH 3.4 quickly replaces 3.3; apache update; Security in Open versus Closed Systems
- Kernel: 2.5.24 development kernel, Development kernel prepatch 2.5.24-dj2
released from the Kernel Summit, 2.4.19 rc 1.
- Distributions: Distribution news from Debian, Mandrake, Red Hat, Yellow Dog, and more.
- Development: GNOME 2.0 Desktop and Developer Platform,
GNU Gnostscript 7.05, GNU Bayonne 1.0, Samba 2.2.5, gphoto2 2.1.0,
SBCL 0.7.5, Perl 5.8.0 RC2.
- Commerce: IBM Delivers Total Linux Solutions to Wall Street; SnapGear Announces new uClinux Distribution
- Press: Open Source in Peru,
HP/Red Hat deal, Sun/IBM deal, MS maneuvers a source code release,
- Announcements: European Digital Rights, Fourth Australian Open Source Symposium,
SAGE-AU 2002 Conference, Python GTK+/GNOME Wiki.