Which is which
Posted Jul 24, 2009 6:38 UTC (Fri) by man_ls
In reply to: True enough
Parent article: Quotes of the week
You are right, Brad is well known around here and has exposed a lot of ideas so it's better to qualify.
What I agree with is with full disclosure. Kernel developers seem to think that security issues have to be discussed quietly and in private. And working exploits against released kernels are generally not welcome ("irresponsible" is the word). However, it seems that having security holes exposed gaping in public may have temporary disadvantages like public opinion or insecure versions, but makes developers care more about security in the long run. As always, code speaks louder than words.
Labeling bugs as "DoS", or "potentially exploitable", or not applying any security label (and thus apparently "hiding" the problem), is another contentious point of his. Here I can only say that having some security culture will harm no developer.
Harsh manners by Brad were employed not in publicizing this particular exploit, but in his (and PaXTeam's) long rants here on LWN. That I disagree with.
to post comments)