LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Kernel.org's road to recovery

Kernel.org's road to recovery

Posted Oct 7, 2011 1:25 UTC (Fri) by malor (subscriber, #2973)
In reply to: Kernel.org's road to recovery by dlang
Parent article: Kernel.org's road to recovery

I mean, to put this another way, the kernel devs are arguing that they should knowingly lie about the impact of bugs.

People are asking you to stop lying. How could anyone argue that this is a bad position?

If people incorrectly think that Linux is safer than it is, then it will get used in more places; people will depend on it to keep them safe when, if the devs were being truthful, they wouldn't. This is an advantage to the Linux devs, increased job security, with a direct disadvantage to the people being lied to.

Lying to take advantage of people is wrong, full stop. In this context, in the modern world, they could die because of this deception. Short of actively inserting vulnerabilities themselves, there is probably nothing more ethically wrong that any coder could do.

That's all that's being asked here: stop lying. Nothing more. Stop actively hiding the impact of your bugs. You don't have to go out of your way to figure out what those impacts are, but if you KNOW a bug is security related, tell the truth.

People are asking you to tell the truth, and you guys are shouting "NO FUCKING WAY!"

(Log in to post comments)

Kernel.org's road to recovery

Posted Oct 9, 2011 16:20 UTC (Sun) by vonbrand (subscriber, #4458) [Link]

How is not tagging a patch that might perhaps fix a security problem with a lot of explanation, which will take work to research and write up, "lying"? I'd prefer to have kernel hackers working on what they do best, not setting themselves up for all kind on accusations along the lines "didn't see the obvious [with 20/20 hindsight] security problem here!" and "totally incompetent, this can't possibly be a security risk!" leading up to "liar!" A kernel bug is extremely serious, period. Anything else, like a relative security layman's assesment if it could be exploited, moveover with little research and no real evidence, is just noise. If somebody wants to publish a kernel tree with CVE numbers and other decorations as notes attached to the commits, it is a free world.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds