Dailydave mailing list archives
Things look bad for vendor-sec
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 14 Jan 2005 12:42:16 -0500
Counting the leak from vendor-sec that came across this list last week, and counting Linus coming out against that whole way of life, I think things are rocky on the vendor-sec front. It was kind of a dumb idea to start with, I think. You know who's really good about open disclosure of vulnerability holes? NetBSD. I dunno why, but they always put a lot of good technical data about holes in their advisories.
http://www.internetnews.com/dev-news/article.php/3458961"So it's embarrassing to everybody if the kernel.org kernel has a security hole for longer than vendor kernels, but at the same time, most users run vendor kernels anyway, so maybe the current setup is the proper one, and the kernel.org kernel should be the last one to get the fix," Torvalds wrote. "Whatever. I happen to believe in openness, and vendor-sec does not. It's that simple."
..."Quite frankly, nobody should ever depend on the kernel having zero holes," Torvalds wrote. "We do our best, but if you want real security, you should have other shields in place."
Does anyone know if you can use the GCC stack protection in kernel code? It would make sense if they did. I know the Windows people try to when they can. (Although never on any of my bugs, so I dunno what's up with that.)
-dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Things look bad for vendor-sec Dave Aitel (Jan 14)
- Re: Things look bad for vendor-sec Jirka Kosina (Jan 14)
- Re: Things look bad for vendor-sec theowl (Jan 20)