|
|
Subscribe / Log in / New account

Kernel bug 9416

Kernel bug 9416

Posted Jun 18, 2008 4:20 UTC (Wed) by vonbrand (subscriber, #4458)
In reply to: Kernel bug 9416 by spender
Parent article: Stable kernel 2.6.25.7 released

"Avoid copying overlong strings" does make my (mostly untrained!) alarm bell go nuts. If that is "obfuscation"...

In all this (by now extremely tiresome) discussion I have seen not a shred of evidence of wrongdoing. Perhaps carelessness, perhaps people not seeing potential security problems. Bugs get fixed, most developers care that it is a bug and don't care much if it might be a security problem. Others try to filter "important" (by whatever measures) fixes to apply to the "-stable" (by their measure) tree. If you disagree, you are wellcome to set up the "-secure" tree and do your own filtering and applying. In doing so, you won't be able to rely blindly on the commit messages (the bug fixer might be completely incompetent at seeing security implications) or the discussions that went before (they could all very well be completely off track), so this is hard, thankless work. If you moreover succeed in recruiting a bunch of hackers to help out, more power to you. That would be a real help, flinging all sort of conspiracy theories and ill will accusations around is counterproductive. If the people here (myself included) had spent their time chasing bugs instead of flaming around, we would all be better off.

to post comments

Kernel bug 9416

Posted Jun 18, 2008 12:17 UTC (Wed) by PaXTeam (guest, #24616) [Link] 

> In all this (by now extremely tiresome) discussion I have seen not a
> shred of evidence of wrongdoing.

would that be because you haven't actually seen/read everything? if you have, please tell me
the history of this commit/bug:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-... .
if you don't see it immediately from the linked commit it's because it was intentionally
omitted. but you can always ask the committer. will you?

> Perhaps carelessness, perhaps people not seeing potential security
> problems. Bugs get fixed, most developers care that it is a bug and
> don't care much if it might be a security problem.

that shows how much of the discussion you saw. pretty much nothing. the issue is *not* with
people not realizing the security impact of bugs (noone expects people to disclose what they
don't know), but rather with intentional withholding/downplaying the same when it *is* known
to them. i gave you a lead above, try to find out what happened there and be shocked.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds