REALTIME IT NEWS
REALTIME IT NEWS
Newsletters Select newsletters below and click the button to sign up!
Internetnews BloggersRecent Entries
ArchivesMonthly ArchivesSearch The Blog
« Happy sweet 16 Debian - where now? |
Sean Michael Kerner Blog
| Mozilla pushing Firefox 3 users to move to Firefox 3.5 »
Torvalds bashes vendor-sec private Linux security list From the 'rare praise' files: Last week, Linux was tagged with a local NULL pointer flaw that could have led to a privilege escalation issue. Linux founder Linus Torvalds pushed a patch upstream quickly and now that patch is in the Linux 2.6.31 -rc6 milestone. Torvalds notes in the 2.6.31 rc6 releases notes that the issue wasn't as bad as it could have been, and that he would have likely delayed the fix were it not for the fact that a private list (vendor-sec), apparently wasn't private after all. "There's the NULL pointer fix that was already talked up on Slashdot, but quite frankly, assuming we got all the "you can't map things at zero" issues fixed from the last scare, that one hopefully wasn't quite as bad as it could have been," Torvalds wrote. "What was perhaps an interesting (if trivial) detail is that if it hadn't been for vendor-sec apparently leaking like a sieve, we'd have delayed the fix until the next -rc due to trying to be polite to vendors."Torvalds has never really been a fan of the vendor-sec list. Vendor-sec is supposed to be a vendor only list that is not publicly available. It's supposed to ensure that vendors will have the time they need to make fixes. Back in 2005, Torvalds criticized vendor-sec, arguing that delayed disclosure, as is currently done by the vendor-sec list, is broken. He said he strongly believes that users should get updates before a disclosure is made. "I think kernel bugs should be fixed as soon as humanly possible, and any delay is basically just about making excuses," Torvalds said in 2005. "And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons."I completely agree. Openness and transparency are the key to true security. However, I do also understand how this can put vendors and users at risk, since patches aren't going to be co-ordinated. It's a tough call and very delicate balance that needs to be achieved. 0 TrackBacksListed below are links to blogs that reference this entry: Torvalds bashes vendor-sec private Linux security list. TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8725 3 CommentsLeave a comment |
||
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 
|
SAP BusinessObjects Webcast: Unlock the Power of Reporting Ipswitch Video: A Closer Look--WS_FTP Server |
MORE WEBCASTS, PODCASTS, AND VIDEOS |
Digg
Del.icio.us
furl
StumbleUpon
BlinkList
Newsvine
Magnolia
Facebook
Tailrank
Slashdot
Technorati
Google
Bookmarks
Yahoo
Favorites
Windows
Live
Ask
Openness and transparency are the two things associated with open source tech.
3 problems create this leaking culture:-
1. Microsoft/Apple history for ignoring security issues so leaks forcing fixes
2. Ego of security researcher.
3. A bad idea of a business plan for a security company to try and look clever to businesses.
I guess there may be more reasons.
Linus is absolutely right. There are some individuals who receive the notices when they are discovered and posted, but there are others, seeking glory, to be the first ones to report it to the public.
Ahh Linus, you will just have to live with those children.
Regards from Montreal