Things look bad for vendor-sec

[Dave Aitel <dave () immunitysec com>]

Counting the leak from vendor-sec that came across this list last week, 
and counting Linus coming out against that whole way of life, I think 
things are rocky on the vendor-sec front. It was kind of a dumb idea to 
start with, I think. You know who's really good about open disclosure of 
vulnerability holes? NetBSD. I dunno why, but they always put a lot of 
good technical data about holes in their advisories.

http://www.internetnews.com/dev-news/article.php/3458961

"So it's embarrassing to everybody if the kernel.org kernel has a 
security hole for longer than vendor kernels, but at the same time, most 
users run vendor kernels anyway, so maybe the current setup is the 
proper one, and the kernel.org kernel should be the last one to get the 
fix," Torvalds wrote. "Whatever. I happen to believe in openness, and 
vendor-sec does not. It's that simple."

...

"Quite frankly, nobody should ever depend on the kernel having zero 
holes," Torvalds wrote. "We do our best, but if you want real security, 
you should have other shields in place."

Does anyone know if you can use the GCC stack protection in kernel code? 
 It would make sense if they did. I know the Windows people try to when 
they can. (Although never on any of my bugs, so I dunno what's up with 
that.)

-dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave