LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

How long should security embargoes be?

How long should security embargoes be?

Posted Feb 10, 2012 23:39 UTC (Fri) by PaXTeam (subscriber, #24616)
In reply to: How long should security embargoes be? by arjan
Parent article: How long should security embargoes be?

users aren't vulnerable during the embargo only, they're vulnerable as long as they use the buggy code. the latter is usually much much longer than the former so a few days more or less for an embargo doesn't really change anything. actually i'm surprised you'd go public with such a statement considering your participation in one of the worst handled linux security bugs of all times. to refresh your memories, this is what was posted to vendor-sec on 2003.09.25:

<arjan> there's a security hole found by akpm
<arjan> that also hits your kernels
<arjan> Subject: [PATCH] do_brk() bounds checking
<arjan> that patch you want
<arjan> agreement is to put it in silently (eg no changelog)
<davej> ok
<arjan> it's not exactly public stuff either
<arjan> linus committed it with a non-security comment
<arjan> so should we
<davej> ok

and the result of this was the now infamous debian core infrastructure compromise a few weeks later. what did you want to prove again?

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds