[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy
- To: full-disclosure@xxxxxxxxxxxxxxxxx, pschmehl_lists@xxxxxxxxx
- Subject: Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy
- From: "Elazar Broad" <elazar@xxxxxxxxxxxx>
- Date: Thu, 17 Jul 2008 11:32:20 -0400
Sorry if I was not clear enough, I meant in the commit comments. I
agree, you need about a brain and a half to spot kernel bugs in the
code itself...
On Thu, 17 Jul 2008 10:58:03 -0400 Paul Schmehl
<pschmehl_lists@xxxxxxxxx> wrote:
>--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad
><elazar@xxxxxxxxxxxx>
>wrote:
>
>> I could understand why Linus is against classifying a commit
>> comment in his branch or in a any unstable branch for that
>> matter...then again, the repositories are open, and anyone with
>> half a brain might be able to discern what has security
>> ramifications or not.
>
>Apparently this isn't as true as you'd like to think. If it were,
>the folks
>who write the code would have caught it to begin with. After all,
>anyone who
>can write kernel code that works has *at least* half a brain,
>wouldn't you say?
>
>The truth is, there is a very small pool of people smart enough,
>educated
>enough and familiar with the code in question enough to actually
>spot security
>problems in the code. Those folks are worth their weight in gold,
>but in many
>cases they do it for the pure pleasure of finding the bugs. They
>also only
>focus on those things that interest them, so the number of people
>actually
>looking for security issues in the LInux kernel code is
>infinitesimally small
>compared to the number of people who use the compiled product.
>
>Claiming that "anyone with half a brain" can spot security
>problems in code
>belittles both those who actually can and all those who cannot but
>want to be
>informed about them so they can protect themselves.
>
>--
>Paul Schmehl
>As if it wasn't already obvious,
>my opinions are my own and not
>those of my employer.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
--
Click to become a master chef, own a restaurant and make millions.
http://tagline.hushmail.com/fc/Ioyw6h4eAFcOJbfoL5Wwa5NEmtU7vhJkF49lH3FbZ1YKdjbrwlfVgs/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/