LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Kernel.org's road to recovery

Kernel.org's road to recovery

Posted Oct 6, 2011 15:51 UTC (Thu) by dlang (✭ supporter ✭, #313)
In reply to: Kernel.org's road to recovery by mpr22
Parent article: Kernel.org's road to recovery

one way to debug such people is not to feed their delusions by making it easier for them to follow this invalid logic.

the real problem with the idea of tagging all security relevant patches is the outcry that will come when patches that are _not_ tagged as being security patches end up being found to be security related at some later time (including possibly before the kernel is even released)

(Log in to post comments)

Kernel.org's road to recovery

Posted Oct 6, 2011 21:01 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> one way to debug such people is not to feed their delusions by making it
> easier for them to follow this invalid logic.

what logic?

> the real problem with the idea of tagging all security relevant patches
> is the outcry that will come when patches that are _not_ tagged as being
> security patches end up being found to be security related at some later
> time (including possibly before the kernel is even released)

why would there be an outcry for not disclosing something one didn't know about at the time of disclosure? let me guess, it's just another strawman 'logic' of yours trying to digress from the actual problem: if a developer knows he's fixing a bug with security impact, he must not cover up that fact, simple as that. what he doesn't know is and has always been utterly irrelevant for this discussion.

Kernel.org's road to recovery

Posted Oct 6, 2011 21:23 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

the invalid logic is the idea that if a commit is not tagged as being a security fix, they can safely ignore it.

Kernel.org's road to recovery

Posted Oct 6, 2011 23:24 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

right, this is the same old tired strawman then and i guess the chances of your answering the same old tired request of mine are slim to none, but here it is again, just for the record: show me a *single* individual who 1. provably believes/follows/operates based on your logic above, 2. has *any* relevance whatsoever in producing kernels for a wider audience. define wide as more than say 10 people in the world but if you really want to advance this silly strawman then better pick someone working for RH/Novell/Canonical/Oracle/etc, you get the idea. because, you see, if no such person exists, you'll need to pick a better argument for justifying the covering up of kernel security fixes. i also wonder how you, a self-described security professional imagine to keep your systems secure if you don't get to know about security fixes.

Kernel.org's road to recovery

Posted Oct 7, 2011 18:32 UTC (Fri) by vonbrand (subscriber, #4458) [Link]

Au contraire. Show that there is no miscreant grepping for such stuff in the kernel (and other changelogs) in order to find out if they can put their foot in the door, and we might reconsider.

Kernel.org's road to recovery

Posted Oct 7, 2011 21:22 UTC (Fri) by PaXTeam (subscriber, #24616) [Link]

what do some people's intentions have to do with being honest? nothing? are you suggesting that the weatherman stop reporting today's hurricane location because some miscreant may use that information for evil purposes? coming back to common sense, yes, nobody who is actually able to do damage will grep commit messages as that helps exactly nothing to write an exploit (reading the actual code however does).

Kernel.org's road to recovery

Posted Oct 9, 2011 16:05 UTC (Sun) by vonbrand (subscriber, #4458) [Link]

Honesty is all about intentions.

Kernel.org's road to recovery

Posted Oct 10, 2011 7:57 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]

so you agree that Linus is dishonest since he declared his intentions to cover up security fixes quite clearly. it's a good start :).

Kernel.org's road to recovery

Posted Oct 11, 2011 1:10 UTC (Tue) by vonbrand (subscriber, #4458) [Link]

He asked not to indulge in a theater of flagging commits with useless (and probably misleading) comments. That is a very far cry from dishonesty.

The contention that such commit messages will make Linux look bad is nonsense, if somebody wants to get data on security problems there are lots of other sources, very much more accurate than self-selected comments on patches.

Kernel.org's road to recovery

Posted Oct 11, 2011 7:36 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]

> He asked not to indulge in a theater of flagging commits with useless
> (and probably misleading) comments.

no, he didn't *ask* anything. he *declared* that he does *not* want to see greppable words that'd identify a commit as fixing a security bug. no ifs and buts there. in less euphemistic words it's also called a coverup. second, if identifying security fixes was 'useless (and probably misleading)' then 1. why does he still let through such commits sometimes, 2. why does the rest world do this? something doesn't add up here if you theory holds ;).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds