|From:||Theodore Tso <tytso-AT-mit.edu>|
|Subject:||Re: [stable] Linux 22.214.171.124|
|Date:||Tue, 15 Jul 2008 14:33:51 -0400|
|Cc:||Linus Torvalds <torvalds-AT-linux-foundation.org>, Greg KH <greg-AT-kroah.com>, Andrew Morton <akpm-AT-linux-foundation.org>, linux-kernel-AT-vger.kernel.org, stable-AT-kernel.org|
On Tue, Jul 15, 2008 at 05:31:09PM +0200, firstname.lastname@example.org wrote: > obviously there *is* a policy, it's just not what you guys declared > earlier in Documentation/SecurityBugs. would you care to update it > or, more properly, remove it altogether as it currently says: Hi, so I'm guessing you're new to the Linux kernel. What you are missing is while *Linus* is unwilling to play the disclosure game, there are kernel developers (many of whom work for distributions, and who *do* want some extra time to prepare a package for release to their customers) who do. So what Linus has expressed is his personal opinion, and he is simply is not on any of the various mailing lists that receive limited-disclosure information, such as the general email@example.com mailing list, or the firstname.lastname@example.org list mentioned in Documentation/SecurityBugs. Both vendor-sec and email@example.com are not formal organizations, so they can not sign NDAs, but they will honor non disclosure requests, and the subscription list for both lists is carefully controlled. People like Linus who have a strong, principled stand for Full Disclosure simply choose not to request to be placed on those mailing lists. And if Linus finds out about a security bug, he will fix it and check it into the public git repository right away. But he's very honest in telling you that is what he will do --- so you can choose whether or not to include him in any disclosures that you might choose to make. The arguments about whether or not Full Disclosure is a good idea or not, and whether or not the "black hat" and "grey hat" and "white hat" security research firms are unalloyed forces for good, or whether they have downsides (and some might say very serious downsides) have been arguments that I have personally witnessed for over two decades (Speaking as someone who helped to dissect the Robert T. Morris Internet Worm in 1988, led the Kerberos development team at MIT for many years, and chaired the IP SEC Working Group for the IETF, I have more than my fair share of experience). It is clear that we're not going settle this debate now, and certainly not on the Linux Kernel Mailing List. Suffice it to say, though, that there are people whose views on these matters span the entire gamut, and I know many reasonable people who hold very different positions along the entire continuum --- and this is true both in the Internet community at large, and in the Linux Kernel development community specifically. Best regards, - Ted
Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds