Re: Security people are leaches. [sic]

[Aaron <apconole () yahoo com>]

> except we don't live in a black and white world. 'security bug' or heck,
> just 'bug' is not a binary property, there're many shades of grey in what
> exactly the bug accomplishes. it's clearly not enough to state that 'this
> commit fixes something but i did not want to bother to understand what',
> users of said commits need more information than that. fortunately not all
> developers share linus' mindset although their efforts are sometimes in
> vain when what he commits intentionally omits security relevant information.

Excuse me, but no one commits fixes without understanding what they've fixed.
If someone fixes a segfault/oops they might not have done the investigation to
determine whether or not something is theoretically or practically usable for something
nefarious, but they understand that there was a null pointer dereference, or an invalid
lock condition and they removed that problem.

The 'shades of grey' only exist to security people. To no one else is it important
that a bug disclose information, allow invalid root access, or escalate privileges.

So the point still stands, why burden the average kernel developer/debugger to do
security research work for the security researcher?



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave