User: Password:
|
|
Subscribe / Log in / New account

Kernel security, year to date

Kernel security, year to date

Posted Sep 9, 2008 22:42 UTC (Tue) by spender (subscriber, #23067)
In reply to: Kernel security, year to date by bfields
Parent article: Kernel security, year to date

Well, unfortunately, it's the same metric being used to gauge the quality
of the Linux kernel's security in the very same article here that you're
commenting on. I completely agree that it's highly flawed (as I'd for
instance put the actual number of vulnerabilities fixed this year at around
80-100. For every vulnerability that gets public recognition, there is at
least one other than does not).

But at the same time, if we take into account the idea of silently fixed
vulnerabilities, there are *far* fewer bugfixes made to the 2.4 tree for
these to hide in compared to the 2.6 tree. It's not unreasonable at all I
think to say that with 40mb of code changes per stable release, it's not
exactly possible to maintain a secure codebase.

You could also look at how many of the vulnerabilities affected 2.6 only --
nearly all of the 2.4 vulnerabilities were present in 2.6 as well.
In 2.6, there have been many serious vulnerabilities recently but they
won't get much public attention because they only affect a small number of
recent kernels (the kernel developers fixing their recently introduced bugs
basically).

-Brad


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds