Full Disclosure mailing list archives
Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy
From: Steve Grubb <sgrubb () redhat com>
Date: Thu, 17 Jul 2008 11:41:19 -0400
On Thursday 17 July 2008 06:57:57 Dave Aitel wrote:
I think what Brad and the Pax Team are saying here is that: 1. We hold Linux to a higher standard than a company - we expect the term "open source" to apply to more than just the source code. 2. For that reason, the community finds it discomforting when kernel maintainers know that a patch has a serious security ramification and essentially lie about it by neglecting to put that into the patch comments. That's the sort of behavior we expect from a large commercial entity.
Linux is a community which means that it needs people helping out when they see something that no one else is doing. The community is not divided into people inside and outside the community. Everyone can help. Also, security reviews do not have to be confrontational in nature. Instead of following each dot release with something written in a condescending tone, why not start doing this in a more calm tone for each kernel release with a little more explaination that not so technically savvy people understand? Then take the step of submitting the bugs for CVE numbers. Over time I think it would be a valuable reference for admins. IOW, turn the negative that you see into something positive for the community. -Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux's unofficial security-through-coverup policy, (continued)
- Re: Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Blue Boar (Jul 17)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy staff (Jul 17)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Joel Jose (Jul 18)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Valdis . Kletnieks (Jul 18)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Joel Jose (Jul 18)
- Re: Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: Linux's unofficial security-through-coveruppolicy Garrett Groff (Jul 16)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Dave Aitel (Jul 17)
- Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy Steve Grubb (Jul 17)
- Re: Linux's unofficial security-through-coverup policy Brad Spengler (Jul 17)