Dailydave mailing list archives
Re: [Full-disclosure] Linux's unofficial security-through-coverup policy
From: spender () grsecurity net (Brad Spengler)
Date: Wed, 16 Jul 2008 17:47:35 -0400
Valdis, I hope you don't expect me to take you or your reply seriously. You're the village idiot of the full-disclosure list; you talk a lot and provide a lot of great entertainment for many of us at the beginning of our workday, but don't really contribute anything useful.
So tell me Brad - if Roland fixed a bug, *and didn't even realize it was a security-exploitable* issue, how do you propose we proceed?
If you had actually bothered to read any of the links I included in my mail (I included them for a reason, not just to take up space), you wouldn't have asked this question. <removed stuff that would be answered if you actually read before replying>
But you know what? *IT* *DOESN'T* *ACTUALLY* *MATTER* *IN* *THE* *REAL* *WORLD*. Just yesterday, I was talking on IRC to a rather clued individual, who was still running 2.6.18 or so - because he had mission-critical custom patches that hadn't been migrated to 2.6.25 yet.
Judging your intellectual ability by the quality of your posts, Valdis, I'm sure you associate yourself with some real winners. And given your perception of yourself as a 'clued' individual, I'm sure this guy was of of equally exceptional calibre. I'd say that this individual's choice to use a kernel tree which introduces nearly 50MB of source code changes every 3 months on a mission critical system probably wasn't the brightest. Asking the developers to stop intentionally omitting security information they're aware of is not too much to ask. They have a written policy that they've been acting in direct opposition to. Since they've made it clear they don't understand "full-disclosure" in the way the rest of the world understands it, and their real policy matches that of what's considered "non-disclosure," we're asking them to change their written policy so that everyone is clear on what their position on security issues are. If you read any of the links, you'd also see what the 2.4 maintainer has to say about obfuscation of security issues: I don't like obfuscation at all WRT security issues, it does far more harm than good because it reduces the probability to get them picked and fixed by users, maintainers, distro packagers, etc... (http://lkml.org/lkml/2008/6/10/452) -Brad
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy M. Shirk (Jul 16)
- Message not available
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Message not available
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Dave Aitel (Jul 17)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Thomas Ptacek (Jul 17)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Valdis . Kletnieks (Jul 18)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Thomas Ptacek (Jul 19)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy nnp (Jul 19)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy pageexec (Jul 19)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Dailydave] [Full-disclosure] Linux's unofficial security-through-coverup policy Steve Grubb (Jul 17)