Full Disclosure mailing list archives
Re: Linux Kernel CIFS Vulnerability
From: Thierry Zoller <Thierry () Zoller lu>
Date: Fri, 10 Apr 2009 13:51:28 +0200
Hi Marcus, MM> I think we have brought this up to the kernel guys often already MM> without much effect ... and I am aware of above posts. I am a bystander that is bewildered by the situation and have not been following this "situation" from the beginning. MM> This is Opensource, if the original authors don't provide security MM> guidance, You mean "this is anarchy" or sparte ? SCNR There is no need for "security guidance", there is a need for a simple FLAG [x] Might be security relevant or [X] is security relevant. Others might then look into it a lot faster instead of triaging through hundrets of irrelevant bugs. MM> someone else can easily step up and do it, like Brad, or Fefe, MM> or whoever else. Brad and Fefe have certainly other things to do than point out security intrinsics of bugs in OSS software. Setting the flags above might help getting others to look into faster. How about solving the problem by open sourcing the knowledge required to attribute the security nature of a coding error as to help those that simply ignore it ? That could be a start too. It's often plain easy and can be explained in IF ELSE kind of way. MM> Even we as Linux distributors should probably set some people up to study the MM> .stable releases for such things. It would certainly help, what helps a lot more from my POV is creating a website, a sort of hallofshame, that discloses silent security fixes. It helps everbody, puts pressure on the "they are just normal bugs" fraction, helps those that ignore WHY a particular bug has security implications and helps the overall perception of OSS software in terms of security. -- http://blog.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux Kernel CIFS Vulnerability, (continued)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Andreas Bogk (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Valdis' Mustache (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Andreas Bogk (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Raj Mathur (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Nick Boyce (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Marcus Meissner (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Marcus Meissner (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Eugene Teo (Apr 11)
- Re: Linux Kernel CIFS Vulnerability Andreas Bogk (Apr 13)
- Re: Linux Kernel CIFS Vulnerability Eugene Teo (Apr 13)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 10)