User: Password:
Subscribe / Log in / New account

Linus and security

Linus and security

Posted Jan 13, 2005 13:53 UTC (Thu) by slowjoe (guest, #18834)
In reply to: Linus and security by zorgan
Parent article: Linux kernel security

A quote of Linus from the above thread:

(See for the full article.)

The only thing I really care about is that we can serve the people who
depend on us by giving them source code that is as bug-free and secure as
we can make it. If that means that we should make the changelogs be a bit
less verbose because we don't want to steal the thunder from the people
who found the problem, that's fine.

I suspect that you may be revising your views. Linus takes a strong "let's minimise the window of vulnerability" line. That would appear to be in everyone's best interest.

(Log in to post comments)

Linus and security

Posted Jan 13, 2005 17:27 UTC (Thu) by zorgan (guest, #4016) [Link]

But his view is totally inconsistent in this regard. He doesn't realize
users don't want to disclosure to happen until vendor kernels are ready.
First he says he only carer about giving users the most bug-free code
possible, then he says maybe it doesn't matter that the kernel
gets security fixes last.

Linus and security

Posted Jan 13, 2005 17:50 UTC (Thu) by jwb (guest, #15467) [Link]

You're projecting your own opinion on the rest of us. I am a user of Linux and I don't give a flying handshake about vendor kernels or their users. It is in the best interest of me and my business to have complete knowledge of all risks associated with the software we use. We need to be perfectly informed to make good operating decisions.

Linus and security

Posted Jan 13, 2005 21:48 UTC (Thu) by zorgan (guest, #4016) [Link]

But his stand doesn't help you in any respect either. His attachment to
his views means he doesn't work with vendor-sec. Which means official kernels get released with known security holes. Check Alan Cox'
emails in the lkml thread.

Linus and security

Posted Jan 14, 2005 5:34 UTC (Fri) by Ross (guest, #4065) [Link]

Speaking as a user I could care less about vendor kernels. I want the
fix out as fast as possible. If that means disclosing the vulnerability
or, more likely, giving enough information (from the patch) for someone
to figure it out then that's ok with me. Waiting on vendors could get
very ugly... which vendors first of all. What if one of them takes weeks
to get the patch released? What if they only do quarterly updates? What
about regression testing? I don't want to wait on those things.

Linus and security

Posted Jan 20, 2005 13:32 UTC (Thu) by job (guest, #670) [Link]

As I understand it, he specifically points to the problem that he is not allowed to fix problems too early with the delayed disclosure process. Everbody agrees to wait until the period is over. I for one am very thankful that Linus does not get into that game.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds