Quotes of the week

[Posted July 23, 2008 by corbet]

There is no more distributed storage you knew before, instead there is completely new project being developed, which main goal is to provide a transport layer for the block requests only. Consider it as Network Block Device on huge steroids. Consider it as iSCSI on huge steroids. Consider it as ATA-over-Ethernet on even more huge steroids. It is just an example of what all those protocols should have. And only that.

-- Evgeniy Polyakov didn't get the "zero tolerance for doping" memo

If you want the kernel people to endorse your project, you'll have to please them. Its that simple. If that means having to radically re-structure your design, and/or break backwards compatibility then so be it. Such are the costs for not collaborating from the start.

If you stubbornly refuse to co-operate you'll either break the project or invite a fork/rewrite by someone else if the idea is deemed worthwhile enough.

-- Peter Zijlstra (on SystemTap)

Being a good citizen in Linux land often means improving whole subsystems rather than stuffing a bunch of fancy features into individual drivers. Working that way can be harder, but it spreads the benefits wider, and improves Linux as a whole.

-- Jesse Barnes

FWIW, I would rather see implications thought about *and* mentioned in the changelogs. OTOH, the above shows the real-world cases when breakage hadn't even been realized to be security-significant. Obviously broken behaviour (leak, for example) gets spotted and fixed. Fix looks obviously sane, bug it deals with - obviously real and worth fixing, so into a tree it goes... IOW, one _can't_ rely on having patches that close security holes marked as such. For that the authors have to notice that themselves in the first place.

-- Al Viro (read the whole thing)

Quotes of the week

Posted Jul 24, 2008 3:50 UTC (Thu) by flewellyn (subscriber, #5047) [Link] (1 responses)

Viro, as usual, is both right and deliciously snarky.

Quotes of the week

Posted Jul 24, 2008 11:21 UTC (Thu) by nix (subscriber, #2304) [Link]

Indeed. I don't think I've ever seen 'gentlemen' used as an insult before.

Al shames those of us for whom English is our native tongue. :)

Quotes of the week

Posted Jul 25, 2008 15:45 UTC (Fri) by zooko (guest, #2589) [Link] (2 responses)

I did read the whole thing and it was well worth it for the analysis of the history of a
specific security flaw and its patches.

Quotes of the week

Posted Jul 28, 2008 3:57 UTC (Mon) by JoeBuck (subscriber, #2330) [Link] (1 responses)

Viro makes an interesting charge:

Going to vendor-sec is a mistake I won't repeat any time soon and I would strongly recommend everybody else to stay the hell away from that morass. It creates inexcusable delays, bounds you to confidentiality and, let's face it, happens to be the prime infiltration target for zero-day exploit traders.

Quotes of the week

Posted Jul 29, 2008 2:39 UTC (Tue) by roelofs (guest, #2599) [Link]

Viro makes an interesting charge:

Going to vendor-sec is a mistake I won't repeat any time soon and I would strongly recommend everybody else to stay the hell away from that morass. It creates inexcusable delays, bounds you to confidentiality and, let's face it, happens to be the prime infiltration target for zero-day exploit traders.

Which part do you see as the charge, or do you mean the whole thing? It certainly creates delays, but I don't think that's a surprise to any of us. It's also unquestionably a prime infiltration target, but that doesn't imply anyone has yet succeeded in doing so; we ("most of us") simply don't know. Finally, he claims vendor-sec binds you to confidentiality, but that's only if you (and/or your employer) allow it; you (or your employer) can also choose to contact them in write-only fashion, provide a disclosure date, and leave it at that. Without a written and mutually-agreed-to contract, what obligation do you have beyond those of basic courtesy/altruism/etc.? IANAL, but I don't think shrinkwrap provisions would have legal force even if they attempted it, and AFAIK, they haven't attempted it.

Greg