|
|
Subscribe / Log in / New account

Stable kernel 2.6.32.8

Stable kernel 2.6.32.8

Posted Feb 9, 2010 20:38 UTC (Tue) by PaXTeam (guest, #24616)
In reply to: Stable kernel 2.6.32.8 by jake
Parent article: Stable kernel 2.6.32.8

> umm, all I said was that there was at least one security fix in there,
> which was based on that quote from Greg's email.

right, in other words you didn't really answer the first part of my question: all we can know is that at least one security bug is fixed but not which one (good luck backporting it). that's all i wanted to point out. you could (and did, sort of) say 'it is business as usual', yes, but it doesn't make it any less sad.

> [...]there is no one who goes through the -stable patches specifically
> looking for all of the security problems[...]

except usually there's no hint whatsoever about security fixes, this time was a rare exception and one can wonder why stop halfway and not actually make it clear what the security fix was. one could also ask how you know security bugs are fixed at all when you can't point at commits that do so but i digress.

to post comments

Stable kernel 2.6.32.8

Posted Feb 9, 2010 21:30 UTC (Tue) by chad.netzer (subscriber, #4257) [Link] (4 responses)

Ok, how about *each* bugfix is a security fix. In a couple minutes of perusing I saw a kfree fix, a possible integer overflow fix, some NULL pointer dereferences, memset arg ordering fixes. All helpfully noted in the commit messages, by the way. So where would you like it all backported to? Would you care to help out?

1e8896049716fd580718bb9431c2ad3bddd114d7
78da404b13afa162e9da0384f553db5f19bc94b0
b260729c8a49452ae9491e3cb94750687f221d2b
e06fbe9a4092960a1db1fa973c9ec13a3ddce3f9
253f887cc8d719087f8de403cfe1a60b5e56b454

You just let us know where you want 'em, and whatever other whim of yours we can possibly satisfy.

Stable kernel 2.6.32.8

Posted Feb 9, 2010 23:53 UTC (Tue) by PaXTeam (guest, #24616) [Link] (3 responses)

> Ok, how about *each* bugfix is a security fix.

i'm afraid you failed right here.

Stable kernel 2.6.32.8

Posted Feb 10, 2010 0:01 UTC (Wed) by chad.netzer (subscriber, #4257) [Link] (2 responses)

In my best Jack Palance voice: "Prove it."

Stable kernel 2.6.32.8

Posted Feb 10, 2010 0:06 UTC (Wed) by PaXTeam (guest, #24616) [Link] (1 responses)

9c66557324ea4879abe8c9dde769a0061c81e1ac

Stable kernel 2.6.32.8

Posted Feb 10, 2010 1:18 UTC (Wed) by chad.netzer (subscriber, #4257) [Link]

That's a "bugfix", is it? Wow, convincing...

So, that's one (possible) non-security commit. Any more? Keep this up and you may just answer what you set out to ask.

Stable kernel 2.6.32.8

Posted Feb 9, 2010 22:45 UTC (Tue) by ewan (guest, #5533) [Link] (5 responses)

right, in other words you didn't really answer the first part of my question: all we can know is that at least one security bug is fixed

That's all the summary text claimed! This really isn't complicated - Greg says there's a security fix, LWN reports that there's a security fix. No-one said they'd identified which one it was. I might equally well ask you how you determined that the moon is made of green cheese and populated by pink elephants and happy little elves. Since you didn't actually do that, you won't be able to point to specifics about it.

Stable kernel 2.6.32.8

Posted Feb 9, 2010 22:56 UTC (Tue) by bojan (subscriber, #14302) [Link]

Given this text:

"combined with verifying that a security problem really was fixed and backported properly"

It is obvious that:

- one security problem was identified
- one security fix was backported and tested

In other words, people that released this update already know which bug that is and they obviously know how they determined that. The question is, why can't we?

Stable kernel 2.6.32.8

Posted Feb 9, 2010 23:47 UTC (Tue) by PaXTeam (guest, #24616) [Link] (2 responses)

> That's all the summary text claimed!

not sure why you're bringing this up here, did anyone question that? what i asked since the beginning is to identify the security bug mentioned in the announcement. looks like you're none the wiser either though ;).

> Greg says there's a security fix, LWN reports that there's a security
> fix. No-one said they'd identified which one it was.

did i say that anyone had identified it? that's the very first question i'd asked in fact if you had cared to read the thread. according to nix it was a specific bug but then his guess is as good as mine since there're more security related bugs fixed as far as i can tell.

this is actually turning comical, are you saying that one can announce a fix for a security bug but not know which one it is? that's a new low in linux security.

Stable kernel 2.6.32.8

Posted Feb 10, 2010 1:26 UTC (Wed) by ewan (guest, #5533) [Link] (1 responses)

did anyone question that?

Not question, so much as assume. If you read your original question "which one's the security fix and how did you determine it?" as being addressed to LWN, which is clearly the sense in which Jake answered it, you're assuming that LWN knows which is the security fix, and has some way of identifying it. That appears not to be the case.

did i say that anyone had identified it?

Well, yes, you did rather. To ask how something was done is to beg the question as to whether it was done at all.

are you saying that one can announce a fix for a security bug but not know which one it is?

I'm saying that LWN can report on an announcement of a security fix without knowing which one it is. If your question was addressed to GregKH rather then LWN, perhaps you'd have been better making that clear, or even sending it directly to GregKH rather than LWN?

Stable kernel 2.6.32.8

Posted Feb 10, 2010 14:55 UTC (Wed) by PaXTeam (guest, #24616) [Link]

> If you read your original question [...]

...i would see it addressed to the generic 'you' (the reader), and not to any particular person. apparently i'm not alone in that interpretation as nix managed to answer despite not being LWN staff.

> you're assuming that LWN knows which is the security fix, and has some
> way of identifying it. That appears not to be the case.

with s/LWN/the person answering the questions/, that's exactly the point i wanted to make: there's once again no information helping to identify the security fix(es).

> I'm saying that LWN can report on an announcement of a security fix
> without knowing which one it is.

you may not remember it, but LWN had once proudly proclaimed this:

> We also humbly suggest the LWN security page as a central place to look
> to keep up on security issues.

the source: http://lwn.net/1999/features/MSResponse.php3 . oh boy, how the tables have turned since...

Stable kernel 2.6.32.8

Posted Feb 10, 2010 1:12 UTC (Wed) by rahvin (guest, #16953) [Link]

I might equally well ask you how you determined that the moon is made of green cheese and populated by pink elephants and happy little elves.
I might well ask you how you determined it's NOT. After all, everyone knows the elephants are green and it's the elves that are pink, and they aren't happy, in fact they are quite suicidal. Sheesh.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds