Full Disclosure mailing list archives
Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy
From: "Elazar Broad" <elazar () hushmail com>
Date: Thu, 17 Jul 2008 11:32:20 -0400
Sorry if I was not clear enough, I meant in the commit comments. I agree, you need about a brain and a half to spot kernel bugs in the code itself... On Thu, 17 Jul 2008 10:58:03 -0400 Paul Schmehl <pschmehl_lists () tx rr com> wrote:
--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad <elazar () hushmail com> wrote:I could understand why Linus is against classifying a commit comment in his branch or in a any unstable branch for that matter...then again, the repositories are open, and anyone with half a brain might be able to discern what has security ramifications or not.Apparently this isn't as true as you'd like to think. If it were, the folks who write the code would have caught it to begin with. After all, anyone who can write kernel code that works has *at least* half a brain, wouldn't you say? The truth is, there is a very small pool of people smart enough, educated enough and familiar with the code in question enough to actually spot security problems in the code. Those folks are worth their weight in gold, but in many cases they do it for the pure pleasure of finding the bugs. They also only focus on those things that interest them, so the number of people actually looking for security issues in the LInux kernel code is infinitesimally small compared to the number of people who use the compiled product. Claiming that "anyone with half a brain" can spot security problems in code belittles both those who actually can and all those who cannot but want to be informed about them so they can protect themselves. -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Click to become a master chef, own a restaurant and make millions. http://tagline.hushmail.com/fc/Ioyw6h4eAFcOJbfoL5Wwa5NEmtU7vhJkF49lH3FbZ1YKdjbrwlfVgs/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy Elazar Broad (Jul 17)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Paul Schmehl (Jul 17)
- <Possible follow-ups>
- Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy Elazar Broad (Jul 17)