User: Password:
|
|
Subscribe / Log in / New account

LWN.net Weekly Edition for June 27, 2002

The 2002 Kernel Developers' Summit

[Kernel hackers] The 2002 Linux Kernel Developers' Summit was held June 24 and 25 in Ottawa, Ontario. At this event, a number of issues relevant to the latter part of the 2.5 development series were worked out. LWN's Jonathan Corbet was there, and has written up the experience.
  • Day One covered the Hammer port, kernel parameters, rationalizing the loadable module mechanism, virtual memory, and the block I/O subsystem.

  • Day Two was dedicated to what database systems need from Linux, HP's kernel wishlist, the Loadable Security Module, asynchronous I/O, SCSI, and the kernel release process. Among other things, a firm date has been set for the 2.6 feature freeze.

Look inside the individual days' coverage for the details.

Comments (1 posted)

Trusting free software projects with security information

Internet Security Systems, which has been feeling quite a bit of heat for its premature revelation of the Apache "chunk handling" vulnerability, posted an "advisory response" to defend itself on June 21. It is an interesting bit of excuse-making, with references to available patches and "Presidential Decision Directive 63." Buried deep within, however, is an interesting claim:

Due to the general nature of open-source and its openness, the virtual organizations behind the projects do not have an ability to enforce strict confidentiality. By notifying the open source project, its nature is that the information is quickly spread in the wild disregarding any type of quiet period. ISS X-Force minimizes the quiet period and delay of protecting customers by providing a security patch.

This is quite a claim: ISS is telling us that free software projects can not be trusted with information on vulnerabilities in their own code.

It would be most interesting to see the evidence from ISS to back up this claim. Most free software developers (though there are always exceptions) are greatly concerned about potential vulnerabilities in their code. They care about their users, and will do their best to get a real, tested fix out before spreading the word of the vulnerability. It is not in the nature or interests of free software developers to put their users at risk.

That said, there are things that free software projects could do to help people who discover vulnerabilities. The most important thing would be to make it clear who should be contacted when a vulnerability is found. After all, sending the notification to a general project mailing list is not usually what one wants to do. But many or most project web pages offer little help to somebody wondering how to report a security hole.

Any development project which would prefer not to learn about its own security problems on Bugtraq must make an effort to do better. The project documentation and web site should offer clear contact instructions for the reporting of security problems. The security contacts should know how to respond quickly to reports, and have the ability to get a patch out to users. The procedures for responding to a security problem need to be worked out before the next vulnerability turns up.

There is no reason why free software project development teams can not be at least as trustworthy as proprietary vendors when it comes to vulnerability information. Claims that free software developers have overly loose lips are not justifyable. But developers who want to be given a chance to fix their holes before they become public need to take steps to show that they are serious about security, and they should make it easy for people to report the problems that are found.

Comments (1 posted)

Letters to the editor

When LWN switched over to the new site a few weeks ago, some of our readers worried that the comment posting facility would bring about the end of the Letters to the Editor page. After all, why bother writing a letter when it is easy to attach comments directly to articles? That was not a consequence that we had feared, but now we are beginning to wonder - no letters to the editor have been received this week. Thus, there is no letters page in this Weekly Edition.

For the most part, we have been pleased with how the comments feature has worked out so far. There have not been huge numbers of comments, but most of those we have seen have been of high quality. Our trust in our readers has proved itself justified - most of the time.

We did not want to drop the Letters to the Editor page, however. The Letters page has, over the years, been a valuable source of feedback and a place for LWN readers to express their opinions. So we hope that this week's lull proves to be a temporary thing; perhaps all of our letter writers are at OLS this week. If you have an opinion on something that you would like to see published, please do not hesitate to send it our way; letters should be sent to letters@lwn.net

Comments (12 posted)

Page editor: Rebecca Sobol

Inside this week's LWN.net Weekly Edition

  • Security: OpenSSH 3.4 quickly replaces 3.3; apache update; Security in Open versus Closed Systems
  • Kernel: 2.5.24 development kernel, Development kernel prepatch 2.5.24-dj2 released from the Kernel Summit, 2.4.19 rc 1.
  • Distributions: Distribution news from Debian, Mandrake, Red Hat, Yellow Dog, and more.
  • Development: GNOME 2.0 Desktop and Developer Platform, GNU Gnostscript 7.05, GNU Bayonne 1.0, Samba 2.2.5, gphoto2 2.1.0, SBCL 0.7.5, Perl 5.8.0 RC2.
  • Commerce: IBM Delivers Total Linux Solutions to Wall Street; SnapGear Announces new uClinux Distribution
  • Press: Open Source in Peru, HP/Red Hat deal, Sun/IBM deal, MS maneuvers a source code release, Usenix Tutorials.
  • Announcements: European Digital Rights, Fourth Australian Open Source Symposium, SAGE-AU 2002 Conference, Python GTK+/GNOME Wiki.
Next page: Security>>

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds