User: Password:
|
|
Subscribe / Log in / New account

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 8:06 UTC (Mon) by dlang (subscriber, #313)
In reply to: How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com) by imitev
Parent article: How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

or 4, they respond when someone points out a problem and work to close that problem, but are not willing to sacrifice performance based on theoretical problems that they see no possible way to exploit.

They are also far too busy reviewing and accepting code where the author wants it to be part of the kernel to go hunting around for code that may exist, may or may not have bugs, may or may not apply to the core kernel without problems, and may or may not even be legally released.

one of the side effects of the SCO fiasco is that they require that people attest that they have the right to contribute the code that they submit. Just saying 'someone slapped a GPL tag on it' isn't going to be good enough

The kernel developers have removed code that they had the legal right to include in the kernel because the author of the code wanted them to. They aren't about to go hunting for code who's author may oppose what they do with it.


(Log in to post comments)

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 10:20 UTC (Mon) by imitev (guest, #60045) [Link]

> or 4, they respond when someone points out a problem and work to close that problem, but are not willing to sacrifice performance based on theoretical problems that they see no possible way to exploit

Well the *class* of exploits that grsecurity prevents looks rather practical to me (and if it was only theoretical why would security companies even bother using it?), so we'll have to agree to disagree.

> The kernel developers have removed code that they had the legal right to include in the kernel because the author of the code wanted them to.

Code != concepts. So OK, the problem is then with patents.
Let's have a look at virtualization: one would think that it's a patent minefield compared to security, but we continue to enjoy a steady rate of improvements and new features in that area. Maybe it's just that it's more fun and interesting to develop than security. Or not: companies make money selling virtualization products, or save money buying them to optimize their computing resources. Meanwhile, security is not only costly, with no immediate benefits, but it also prevents your employees from getting the work done in a quick&dirty way, it makes users yell at sysadmins, and a few other dozen complaints. You just realize how nice it would have been when your systems are compromised. And on the other side, if you invested in it, you might not see any effect since you effectively decreased the chance somebody would manage to hack you. I'm wandering too far, but the point is that security is a difficult sell, I don't think it has anything to do with legal stuff. People are just not interested.

> Well, he would have to make a case that he needed to be paid by them

I don't understand how your comment relates to what I've written.
There seems to be an assumption that Spender needs money and should be paid to push features upstream; I hope for him he's already well paid between sponsoring, consulting, and (maybe) selling exploits. I anticipate you'll ask why he's then bothering trying to advertise his superior features, maybe he's just trying to prove a point and have some recognition for the work he's doing - very human, after all. Granted, with a complete lack of diplomacy.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds