Not so fast
Not so fast
Posted Jun 18, 2008 13:44 UTC (Wed) by spender (guest, #23067)In reply to: Not so fast by nix
Parent article: Stable kernel 2.6.25.7 released
Some get it, but some do not (the ones trying to misinterpret all the provided evidence to support their view). Unfortunately for them, the way things are is often not as how we imagine or would like them to be. If even Willy is saying that Linus intentionally omits security information at times in his commits, which he is fully aware of at the time of the commit, why are you still quibbling with us? I was surprised myself Willy was so honest about this (I appreciate it), and it meshes with the private evidence I have. In general, from the evidence I have, the people in charge of handling security put forth a lot of effort and in most cases handle things properly. This is especially true of bugs that are submitted to them from the outside, where security-relevance is either explicitly mentioned or suggested. But in some cases (the specific examples already provided and others I'm currently compiling), things aren't handled properly. It seems so far that these involve bugs that haven't been labeled as security-relevant by individuals/companies in the public realm. Many of these bugs seem to be DoS-related. On their private lists will exist PoC code to trigger them, so their security-relevance is well known to the members of the private lists, and yet often it's these that get handled improperly. Like we had been arguing, this isn't a conspiracy. They don't coordinate on the lists on how to cover up the security bugs for the day. But there does seem to be some adherence among some to an "unwritten rule", that if they aren't being publicly held accountable for something, the rules can be relaxed. The problem is they end up hurting themselves (and all of us) this way, since when things aren't mentioned properly publicly through the changelogs, it often never gets proper classification (see the SELinux remote DoS at the bottom of the page). As to why you continue to argue, this might help explain the uncomfortableness you're feeling: http://en.wikipedia.org/wiki/Cognitive_dissonance -Brad
Posted Jun 18, 2008 16:52 UTC (Wed)
by nix (subscriber, #2304)
[Link] (5 responses)
Posted Jun 18, 2008 17:59 UTC (Wed)
by PaXTeam (guest, #24616)
[Link] (4 responses)
Posted Jun 19, 2008 9:45 UTC (Thu)
by nix (subscriber, #2304)
[Link] (3 responses)
Posted Jun 19, 2008 10:31 UTC (Thu)
by PaXTeam (guest, #24616)
[Link] (2 responses)
Posted Jun 19, 2008 21:47 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Jun 20, 2008 1:37 UTC (Fri)
by zakalwe2 (guest, #50472)
[Link]
Not so fast
I agree with everything you've said in that comment.
I just don't think it's 'dishonest'. Everyone involved is quite open about what's going on, so
how it could be considered dishonest is quite beyond me (and it's not as if we see holes with
actual significant impact being not fixed: please, 'root can get complete control of the
system' is likely to impact a number of systems given in single digits, given that on
virtually every system out there root *already* has complete control: and 'hold back for a few
days until the major distros have updated' also seems reasonable. CPU bugs with security
impact are an entirely different kettle of silicon, and I have no idea what the right thing is
to do there, especially if the bug is one that can't be fixed with a microcode update:
someone's going to get hurt sooner or later no matter what you do).
Not so fast
> Everyone involved is quite open about what's going on, so
> how it could be considered dishonest is quite beyond me
where did you see 'everyone involved' being open? not here. not a single person who
participated in the withholding of known security impact info posted to this thread or
admitted doing so.
>and it's not as if we see holes with actual significant impact being not fixed:
strawman warning ;)! we did *not* talk about bugs not getting fixed. we talked about bugs not
getting properly described in the commits. where did you pull this one from? but now that you
did, i'll actually ask you a question: if a commit doesn't contain security info (such as the
ptrace self-attach fix), how are people running their own kernels supposed to know to pick
such commits up (think of distibutors, not only individuals)? they can't therefore all *their*
users are unnecessarily exposed to risk.
Not so fast
Er, I was pointing out that it would be significant if we saw things getting covered up and
not fixed. We don't.
(Are you *so* confrontational that you assume that when I'm agreeing with you, I'm actually
trying to argue against you, so my point is thus a 'straw man'? If this is actually what's
happening, you're functionally incapable of reading English as far as I'm concerned.)
Not so fast
> Er, I was pointing out that it would be significant if we saw things
> getting covered up and not fixed. We don't.
er, i was pointing out that it was *not* what we had been talking about all along. we talked
about things getting fixed but *not* communicated properly, in particular, the security impact
of fixes was sometimes omitted even when it was full well known. that *is* dishonest, no
matter how much you argue the opposite:
> I just don't think it's 'dishonest'.
that is *not* 'I'm agreeing with you', no matter how you spin it later.
but i said all this a 100 times already by now yet *you* keep diverging into irrelevant
possibilities that we have never raised. you tell me who has a reading comprehension propblem.
also it has been your strategy to change the subject of discussion slightly in order to be
able attack it then. that meets the dictionary definition of a strawman. i know you never
liked it when i exposed every one of your attempts, but that should not be reason to resort to
ad hominem in lieu of rational arguments (you probably figured out by now that i'm not a
native speaker, right?). as you so aptly said:
> This thread is giving me so *very* many examples of how not to communicate...
Not so fast
The dictionary definition of a straw man argument is arguing !A and then
concluding !B, where A is not a precondition of B.
What I'm doing is considering slight variations on what you're discussing
in order to figure out if *they* have any merit (since your claim of some
peculiar form of non-malicious dishonesty is incoherent I haven't wasted
any time considering that case at all).
My apologies for *daring* to consider tangential cases at all. I wasn't
aware I wasn't allowed to discuss such things.
(Your claims of 'exposure' reek of paranoia. In fact pretty much
everything you've posted reeks of paranoia.)
Not so fast
>>since your claim of some peculiar form of non-malicious dishonesty is incoherent
No honey, your ass doesn't look big in that at all.