|
|
Subscribe / Log in / New account

"Stable" kernel 2.6.25.7 released

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 18:11 UTC (Tue) by nix (subscriber, #2304)
In reply to: "Stable" kernel 2.6.25.7 released by PaXTeam
Parent article: Stable kernel 2.6.25.7 released 

The 'little time' you refer to can be anything from months to years. Not everyone keeps their
kernels bang-up-to-date, and fixes to things which might be security holes in mainline are not
always instantly propagated to -stable. Thus a window exists, and given the existence of
rapidly-propagating worms it is unwise to make that window wider than necessary.

(This is of course the entire justification for the existence of private lists like vendor-sec
and the BIND security list in the first place. You might not like it but it *is* defensible. I
don't much like it either, not being on any of those private lists, but nonetheless I can't
really argue against it.)

to post comments

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 22:26 UTC (Tue) by PaXTeam (guest, #24616) [Link] (4 responses) 

it does *not* matter what that 'little time' is. that's because your *whole* argument is based
on a false assumption, namely that it's the kernel devs (or whoever reports a bug to them) who
are the *first* to find a given security bug. it's obvious that there's exactly one such
person in the world who can make that claim, and based on what resources kernel devs spend on
finding security bugs vs. the rest of the world does, it's easy to see that this one lucky guy
isn't one of the kernel devs. it then follows that you can't in general assume that the
security bugs found by kernel devs aren't already being exploited in the wild. it then also
follows that this 'hide the bugs from the bad guys' doesn't actually do that, but it does hide
them from honest but less knowledgable people who nevertheless still need to know about them
to be able to properly assess the risks of a given bug *themselves* (and what the kernel devs
think they can do better themselves - good luck proving that, if anything, they so far proved
the exact opposite).

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 22:44 UTC (Tue) by nix (subscriber, #2304) [Link] (3 responses) 

It likely isn't always one of the kernel devs, but I fail to see how you 
can make claims regarding relative probabilities without data (and I can't 
figure out how to get useful data without being a major black hat whom a 
lot of other black hats talk to).

(You really do talk a lot about straw men for someone who produces so 
many.)

"Stable" kernel 2.6.25.7 released

Posted Jun 17, 2008 22:57 UTC (Tue) by PaXTeam (guest, #24616) [Link] (2 responses) 

> It likely isn't always one of the kernel devs, but I fail to see how you 
> can make claims regarding relative probabilities without data 

because in my carrier i have seen part of what we now call the security industry and i know
for a fact that the kernel devs can't match their resources.

> (and I can't figure out how to get useful data without being a major
> black hat whom a lot of other black hats talk to).

see, one way i can tell a security professional from the armchair one is that the latter's
world consist of simple black and white whereas the former knows it's way more complex. so
however disappointing it will sound to you, no, you don't need to be a 'major black hat'
(whatever that means anyway) to know the capabilities acquired by the security industry.

> (You really do talk a lot about straw men for someone who produces so 
many.)

i see you feel very stronly when yours are being exposed one by one (notice how you never even
contested any of them or chose to chicken out, and btw, i thought you were done with this
thread ;), so you're welcome to expose every single one of mine ;).

"Stable" kernel 2.6.25.7 released

Posted Jun 18, 2008 12:52 UTC (Wed) by nix (subscriber, #2304) [Link] (1 responses) 

No thanks. You're simply too unpleasant to respond to anymore, and your debate technique is
frankly enraging.

(I'm frankly not surprised PaX isn't in the kernel if you're always this confrontational,
whatever its technical merits.)

"Stable" kernel 2.6.25.7 released

Posted Jun 18, 2008 13:20 UTC (Wed) by PaXTeam (guest, #24616) [Link] 

the truth isn't always pleasant. neither are strawmen, that seems to be your debate technique
and that didn't work here ;). nevertheless that didn't stop me from responding to you, did it?
i asked you once already, let me repeat that here again: what do you really want from *us*? we
made our point, explained it a dozen times already, what's left for you to do is to check the
facts out for yourself. you said you weren't interested or something like that, then why do
you keep posting irrelevant things?

> (I'm frankly not surprised PaX isn't in the kernel if you're always this
> confrontational, whatever its technical merits.)

i'm frankly not surprised you brought up yet another irrelevant point here. FYI, PaX isn't in
the kernel because, drumroll.... it has *never* been submitted. imagine that! ;) and as a
sidenote, PaX features *are* in the kernel but that's whole different story.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds