From: Tiago Assumpcao <tiago@assumpcao.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: pageexec@freemail.hu, Greg KH <greg@kroah.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, stable@kernel.org
Subject: Re: [stable] Linux 2.6.25.10
Date: Tue, 15 Jul 2008 17:15:32 -0300 [thread overview]
Message-ID: <487D0564.7070606@assumpcao.org> (raw)
In-Reply-To: <alpine.LFD.1.10.0807141924020.3017@woody.linux-foundation.org>
Linus Torvalds wrote:
>
> That means that I want to fix things asap. But that also means that there is never a
> time when you can "let people know", except when it's not an issue any
> more, at which point there is no _point_ in letting people know any more.
>
The only plausible solution people have found to this problem is
"letting the world know", so everyone involved in the different stages
of IT maintenance can do their part and properly spread the solution
throughout the assets.
Unless you have a better idea, the full-disclosure policy must remain or
we're going back into 1992AD -- except the threats are thereof 2008.
> So I personally consider security bugs to be just "normal bugs". I don't
> cover them up, but I also don't have any reason what-so-ever to think it's
> a good idea to track them and announce them as something special.
>
> So there is no "policy". Nor is it likely to change.
>
> Linus
Either someone classify and inform it as it is, a *security problem*, or
the issue is likely to pass unnoticed by the majority or to not receive
the necessary attention by the involved parts.
Right. You don't want your developers to be responsible for classifying
bugs towards security. Fine. Even though my intuition and personal
experience tell that the question must be approached by those deeply
involved in the development life-cycle, which, on their side, are
responsible for finding, classifying, advising and fixing the security
issues. This seems appropriate. Further, this appears to be what the big
software houses nowadays do: from early design and development stages,
have people to [security] review their applications before deployment,
up to giving high attention and adequate support to any reported
security problem, afterwards release. Maybe this is all silly and the
world is swimming in the wrong direction.
Opinions apart, what really matters: we have an ultimate declaration
about Linus' tree -- we may forget the pre-official (?) announcement
[Documentation/SecurityBugs] and know that someone else must,
eventually, classify and inform the world about security bugs existent
in their software.
From our consumer side, every time an issue of this nature is found,
let's pray for some intermediate, gray, angel to send us an "warning"
message.
Not more I can do but to make sure that all my peers are informed of
such a grave reality.
Sincerely,
Tiago
next prev parent reply other threads:[~2008-07-20 0:36 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-03 3:58 Linux 2.6.25.10 Greg KH
2008-07-03 3:58 ` Greg KH
2008-07-03 17:08 ` Bart Van Assche
2008-07-03 17:29 ` Greg KH
2008-07-03 18:57 ` Greg KH
2008-07-03 19:31 ` pageexec
2008-07-14 12:04 ` [stable] " Greg KH
2008-07-15 2:14 ` pageexec
2008-07-15 2:27 ` Linus Torvalds
2008-07-15 15:31 ` pageexec
2008-07-15 16:07 ` Linus Torvalds
2008-07-15 16:13 ` Linus Torvalds
2008-07-17 21:08 ` Aidan Thornton
2008-07-15 19:03 ` pageexec
2008-07-15 19:16 ` Linus Torvalds
[not found] ` <487D20EC.26203.1BD1E5C5@pageexec.freemail.hu>
2008-07-15 20:18 ` Linus Torvalds
2008-07-15 20:23 ` pageexec
2008-07-15 20:42 ` Linus Torvalds
2008-07-15 21:18 ` pageexec
2008-07-15 21:26 ` Linus Torvalds
2008-07-15 22:08 ` pageexec
2008-07-15 23:28 ` Linus Torvalds
2008-07-16 0:00 ` Tiago Assumpcao
2008-07-16 0:16 ` Linus Torvalds
2008-07-16 0:38 ` Tiago Assumpcao
2008-07-16 0:51 ` Linus Torvalds
2008-07-16 1:10 ` Tiago Assumpcao
2008-07-16 1:41 ` Linus Torvalds
2008-07-16 2:24 ` Tiago Assumpcao
2008-07-16 3:11 ` Theodore Tso
2008-07-16 9:49 ` pageexec
2008-07-16 10:08 ` David Miller
2008-07-16 10:23 ` pageexec
2008-07-16 10:31 ` David Miller
2008-07-16 10:51 ` pageexec
2008-07-16 11:04 ` David Miller
2008-07-16 11:52 ` pageexec
2008-07-16 3:13 ` Greg KH
2008-07-16 9:01 ` pageexec
2008-07-16 9:35 ` Gabor Gombas
2008-07-16 10:04 ` pageexec
2008-07-16 14:43 ` Greg KH
2008-07-16 15:43 ` pageexec
2008-07-16 16:29 ` Greg KH
2008-07-16 17:25 ` pageexec
2008-07-16 18:08 ` Theodore Tso
2008-07-16 19:09 ` pageexec
2008-07-17 3:43 ` Mike Galbraith
2008-07-16 1:08 ` Theodore Tso
2008-07-16 1:30 ` pageexec
2008-07-16 1:53 ` Tiago Assumpcao
2008-07-16 2:02 ` Linus Torvalds
2008-07-16 2:36 ` Tiago Assumpcao
2008-07-16 4:07 ` Linus Torvalds
2008-07-16 4:16 ` Tiago Assumpcao
2008-07-16 3:27 ` Casey Schaufler
2008-07-16 4:13 ` Tiago Assumpcao
2008-07-16 4:21 ` Linus Torvalds
2008-07-16 5:02 ` Tiago Assumpcao
2008-07-16 5:13 ` Linus Torvalds
2008-07-16 5:26 ` Casey Schaufler
2008-07-16 9:33 ` pageexec
2008-07-16 13:21 ` Theodore Tso
2008-07-16 15:16 ` pageexec
2008-07-16 0:04 ` pageexec
2008-07-16 0:24 ` Linus Torvalds
2008-07-16 0:56 ` pageexec
2008-07-16 1:08 ` Linus Torvalds
2008-07-16 1:23 ` pageexec
2008-07-17 7:19 ` Rafael C. de Almeida
2008-07-17 7:59 ` pageexec
2008-07-17 4:21 ` Phil Pell
2008-07-15 18:33 ` Theodore Tso
2008-07-15 20:28 ` pageexec
2008-07-15 22:39 ` Greg KH
2008-07-15 22:47 ` David Miller
2008-07-15 23:08 ` Tiago Assumpcao
2008-07-15 23:21 ` David Miller
2008-07-15 23:26 ` pageexec
2008-07-15 23:26 ` Tiago Assumpcao
2008-07-15 23:22 ` pageexec
2008-07-15 23:35 ` David Miller
2008-07-15 23:09 ` pageexec
2008-07-15 20:15 ` Tiago Assumpcao [this message]
2008-07-20 1:13 ` Bernd Eckenfels
2008-07-15 23:34 ` Tiago Assumpcao
2008-07-19 0:47 ` David Schwartz
2008-07-19 1:01 ` david
2008-07-19 1:51 ` David Schwartz
2008-07-19 5:41 ` Willy Tarreau
2008-07-05 7:54 ` Bart Van Assche
2008-07-08 4:12 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=487D0564.7070606@assumpcao.org \
--to=tiago@assumpcao.org \
--cc=akpm@linux-foundation.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox