oss-sec mailing list archives
Re: Vendor-sec hosting and future of closed lists
From: Greg KH <greg () kroah com>
Date: Thu, 3 Mar 2011 15:16:01 -0800
On Thu, Mar 03, 2011 at 03:09:55PM -0800, Kees Cook wrote: <good stuff snipped>
As I see it, the upstream Linux kernel certainly fixes most flaws discovered, and almost gets to fix level 4 (there are so many variations of the Linux kernel running on end-user's systems, I can't blame the Linux kernel upstream for not offering a patch for every version the majority of their end-users use). Where I am disappointed is in the communication.
Ok, that's fair enough, I will not disagree with that.
It's generally somewhere between communication style 1 and 2. There is no central list of fixed flaws (style 3, see almost every major upstream's website and append some variation "/security" to the url, etc), and certainly no central list of fixes. There is frequently no mention of the implication of a flaw in commits (style 2), and nothing like style 4, 5, or 6 happening. The only place these things happen are in each distro's bug trackers, or scattered in the Mitre CVE links (which almost invalidates anything above fix level 2 since there is no certain way to find a flaw's fix in an upstream stable kernel update). So yes, I'm disappointed in the upstream Linux kernel's security flaw fix communications. And while I'm sure some people may not agree with me, I know many do.
Then, as I have always said, someone needs to step up and actually do this type of communication work. I personally don't have the time to, I am swamped with just getting the stable updates out in a semi-timely fashion. Digging through every patch in these releases and properly conveying the real, or percieved reason why they are needed, is a lot of thankless work. Jon at lwn.net tried it for just one release, and we are averaging about one a week (total number of kernels released that is). No one else has yet tried to do that, but if they will, I will be _glad_ to point my release notifications at that summary. So in other words, help is gladly accepted :) thanks, greg k-h
Current thread:
- Vendor-sec hosting and future of closed lists Marcus Meissner (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Kees Cook (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Steven M. Christey (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Kees Cook (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Michael Gilbert (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 14)
- Re: Vendor-sec hosting and future of closed lists Eugene Teo (Mar 15)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 15)
- RE: Vendor-sec hosting and future of closed lists Menkhus, Mark (GSE Security HP SSRT) (Mar 15)
- Re: Vendor-sec hosting and future of closed lists Kees Cook (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 03)