Re: [stable] Linux 2.6.25.10 (resume)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: "Rodrigo Rubira Branco (BSDaemon)" <rbranco@LA.CHECKPOINT.COM>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org, greg@kroah.com,
	"'Justin Forbes'" <jmforbes@linuxtx.org>,
	"'Zwane Mwaikambo'" <zwane@arm.linux.org.uk>,
	"'Theodore Ts'o'" <tytso@mit.edu>,
	"'Randy Dunlap'" <rdunlap@xenotime.net>,
	"'Dave Jones'" <davej@redhat.com>,
	"'Chuck Wolber'" <chuckw@quantumlinux.com>,
	"'Chris Wedgwood'" <reviews@ml.cw.f00f.org>,
	"'Michael Krufky'" <mkrufky@linuxtv.org>,
	"'Chuck Ebbert'" <cebbert@redhat.com>,
	"'Domenico Andreoli'" <cavokz@gmail.com>,
	"'Willy Tarreau'" <w@1wt.eu>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, "'Alan Cox'" <alan@redhat.com>,
	caglar@pardus.org.tr, casey@schaufler-ca.com,
	spender@grsecurity.net, pageexec@freemail.hu,
	rodrigo@kernelhacking.com
Subject: Re: [stable] Linux 2.6.25.10 (resume)
Date: Sat, 19 Jul 2008 15:13:43 -0700	[thread overview]
Message-ID: <20080719221343.GA5578@suse.de> (raw)
In-Reply-To: <4880A3B1.3050103@la.checkpoint.com>

On Fri, Jul 18, 2008 at 11:07:45AM -0300, Rodrigo Rubira Branco (BSDaemon) wrote:
> --- SecurityBugs.orig	2008-07-16 23:46:09.000000000 -0300
> +++ SecurityBugs	2008-07-17 14:58:32.000000000 -0300
> @@ -1,7 +1,7 @@
> -Linux kernel developers take security very seriously.  As such, we'd
> -like to know when a security bug is found so that it can be fixed and
> -disclosed as quickly as possible.  Please report security bugs to the
> -Linux kernel security team.
> +Linux kernel developers take security very seriously, in exactly the 
> +same way we do with any other bugs.  As such, we'd like to know when 
> +a security bug is found so that it can be fixed as soon as possible.
> +Please report security bugs to the Linux kernel security team.

I guess what is getting everyone's panties all in a bind is the term
"disclosed", right?  Why not just drop this word from the sentence
instead of rewording it so much?

> @@ -14,23 +14,24 @@
>  As it is with any bug, the more information provided the easier it
>  will be to diagnose and fix.  Please review the procedure outlined in
>  REPORTING-BUGS if you are unclear about what information is helpful.
> -Any exploit code is very helpful and will not be released without
> -consent from the reporter unless it has already been made public.
> +Any exploit code is very helpful and will not be released.

I don't see why this needs to be changed, sometimes we do release
exploit code to third parties that ask us nicely and the reporter allows
us to.

>  2) Disclosure
>  
>  The goal of the Linux kernel security team is to work with the
>  bug submitter to bug resolution as well as disclosure.  We prefer
> -to fully disclose the bug as soon as possible.

Ah, again, it's the "fully disclose" that is causing panties to ride
high.  And again, we are disclosing the bug with the real fix and the
code in question.  We just seem to differ on what people consider
"fully" it seems.  I think the people liking that term these days
consider that you must release exploit and other detailed information.

I disagree with this and feel that our current policy of fixing bugs and
releasing full code is pretty much the same thing as we are doing today,
although I can understand the confusion.  How about this rewording of
the sentance instead:

	We prefer to fix and provide an update for the bug as soon as
	possible.

So a simple 1 line change should be enough to stem this kind of argument
in the future, right?

thanks,

greg k-h

next prev parent reply	other threads:[~2008-07-19 22:19 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080701151057.930340322@mini.kroah.org>
2008-07-01 15:18 ` [patch 0/9] 2.6.25.10 -stable review Greg KH
2008-07-01 15:18   ` [patch 1/9] TTY: fix for tty operations bugs Greg KH
2008-07-01 16:01     ` Greg KH
2008-07-02  9:57       ` S.Çağlar Onur
2008-07-02  9:44         ` Alan Cox
2008-07-02 14:41         ` Greg KH
2008-07-02 15:09           ` S.Çağlar Onur
2008-07-16  4:01             ` [stable] Linux 2.6.25.10 (resume) Rodrigo Rubira Branco
2008-07-16  4:49               ` Greg KH
2008-07-18 14:07                 ` Rodrigo Rubira Branco (BSDaemon)
2008-07-18 15:20                   ` Willy Tarreau
2008-07-18 15:29                     ` Rodrigo Rubira Branco (BSDaemon)
2008-07-19  4:45                       ` david
2008-07-19 10:11                   ` Alan Cox
2008-07-22  0:48                     ` Rodrigo Rubira Branco (BSDaemon)
2008-07-23  4:27                       ` Greg KH
2008-07-23 11:54                         ` pageexec
2008-07-23 14:31                           ` Henrique de Moraes Holschuh
2008-07-23 14:53                             ` pageexec
2008-07-19 22:13                   ` Greg KH [this message]
2008-07-20 17:28                     ` Al Viro
2008-07-22  1:07                       ` Rodrigo Rubira Branco (BSDaemon)
2008-07-22  0:52                     ` Rodrigo Rubira Branco (BSDaemon)
2008-07-01 15:19   ` [patch 2/9] futexes: fix fault handling in futex_lock_pi Greg KH
2008-07-01 15:19   ` [patch 3/9] IB/mthca: Clear ICM pages before handing to FW Greg KH
2008-07-01 15:19   ` [patch 4/9] DRM: enable bus mastering on i915 at resume time Greg KH
2008-07-01 15:19   ` [patch 5/9] x86_64 ptrace: fix sys32_ptrace task_struct leak Greg KH
2008-07-01 15:19   ` [patch 6/9] sched: fix cpu hotplug Greg KH
2008-07-01 15:19   ` [patch 7/9] ptrace GET/SET FPXREGS broken Greg KH
2008-07-01 15:19   ` [patch 8/9] x86: fix cpu hotplug crash Greg KH
2008-07-01 15:19   ` [patch 9/9] x86: shift bits the right way in native_read_tscp Greg KH
2008-07-01 16:43   ` [patch 0/9] 2.6.25.10 -stable review Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080719221343.GA5578@suse.de \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=alan@redhat.com \
    --cc=caglar@pardus.org.tr \
    --cc=casey@schaufler-ca.com \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=greg@kroah.com \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=pageexec@freemail.hu \
    --cc=rbranco@LA.CHECKPOINT.COM \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=rodrigo@kernelhacking.com \
    --cc=spender@grsecurity.net \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=w@1wt.eu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox