|
|
Subscribe / Log in / New account

"Stable" kernel 2.6.25.7 released

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 10:07 UTC (Tue) by PaXTeam (guest, #24616)
In reply to: "Stable" kernel 2.6.25.7 released by wtarreau
Parent article: Stable kernel 2.6.25.7 released 

> Then he can post privately to the -stable team.

in case you didn't read http://lwn.net/Articles/285438/ , the problem is not with -stable per
se, it's just one of the causalties of the policies played on the kernel security mailing list
(although it's probably not a coincidence  as there's overlap between the members). it should
also be clear by now that we are NOT going to play ball with that list. i even told you so in
the past already (remember the random driver stack overflow bug?). the reason is very simple
and sad at the same time: this list has become the primary place to discuss then hide security
information about bugs. in case it's not clear, the problem is not with the 'discuss' part but
the 'hide' one.

> But I think that unfortunately, Brad is not trying to improve Linux but
> to demonstrate it's a pile of crap, maybe in order to promote security
> add-ons such as grsecurity.

how is exposing the dishonesty of certain kernel developers not improving linux? do you want
people to live without knowing what bugs have security related consequences? if said
developers are unwilling to practice full disclosure (despite public reassurances, mind you)
then someone else has to. and how on earth is this supposed to promote grsecurity (or any
other access control system)? if anything, they all suffer collateral damage from this policy
of not-exactly-full-disclosure.

> But it's doing no service to him either because acting this way will
> scare away people who look for a reliable system.

i did that more than 3 years ago already:
http://forums.grsecurity.net/viewtopic.php?p=3805#p3805 and i still stand by what i said back
then. in fact, the situation has become a whole lot worse since.

> IMHO, he would be of great help if he would accept to be on the -stable reviewers list.

it's too late by then, the problems start with the kernel security list, -stable feeds on
that. and no amount of private lists will help the accountability problem you're having now.
the way of solving that is to make the archives public after a certain period (there's nothing
to hide after the bug is fixed and public, right?) then we can talk about having improved
linux security.

to post comments

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 19:24 UTC (Tue) by wtarreau (subscriber, #51152) [Link] (2 responses) 

stable@ is not a list, just an address to post things you think should
be fixed in stable releases. There is no secrecy there, you can simply
CC LKML if you want (and preferably the patch reporter first in order
to get information about relevance). I sometimes proceed like this.

I have no problem with your policy about not posting to private lists.
Davem does the same, and I respect this. Then you'd better check the
oss-security list : http://oss-security.openwall.org/wiki/

It is public, talks about security issues in opensource software
(including linux), and many of the closed lists members are there.

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 20:35 UTC (Tue) by PaXTeam (guest, #24616) [Link] 

> stable@ is not a list, just an address to post things you think should
> be fixed in stable releases.

yes, i figured it out in the meantime. problem with it still is that anything that makes it
there is already *too late* because it must have been entered the Linus tree already
(mandatory condition for a submission to be accepted). and if the commit is misleading there,
it's game over for everyone else. in any case, you can certainly CC me on anything you need my
input on *but* consider that my work has nothing to do with neither the kernel nor security
and, as of this year, i'm spending less and less of my free time on this as well, with the
eventual goal of completely stopping it. in other words, don't expect me to spend a lot of
time on this, my quota for linux/security is already pretty much exhausted.

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 21:21 UTC (Tue) by spender (guest, #23067) [Link] 

Though it won't solve many of the problems mentioned, particularly:
1) Bugs that originate in private through the numerous private mailing lists
2) Obvious and explicit security information mentioned in attached bugzilla entries getting
omitted from changelogs
3) root-based bugs not only being downplayed, but specifically labeled as not security
relevant (defeats the purpose of SELinux, SMACK, capabilities)

It may help in raising more awareness regarding the invalid userland dereference class of
bugs, which seem to most often get ignored.  (Microsoft hopefully is paying similar attention:
http://www.immunitysec.com/downloads/DriverImpersonationA...)

With that said, you're of course welcome to CC me on relevant mails as well.

-Brad


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds