Re: [Full-disclosure] Linux Kernel CIFS Vulnerability

[Andreas Bogk <andreas@xxxxxxxxxxx>]

Thierry Zoller wrote:
> AB> Neither the Linux kernel team, the CIFS maintainers nor any of
> AB> the commercial Linux distributors bothered to send out an advisory.
> AB> I'm at loss for words other than "irresponsible, arrogant
> AB> assholes".  Linux 2009 == Microsoft 2002.
> I  second  that,  the  reason is intersintg too; linus considers security
> bugs  as  nothing  else than normal bugs.

I don't mind his policy of "just fixing the bug".  But I do mind when 
the changelog doesn't clearly state "hey, we're fixing a security issue 
here".

> The door closes slowly
> for Linux in enterprises.
>   

So true, and so sad.  I remember a time when using Linux was giving 
actual security benefits over using Windows.  These times are over.

And the security gap between MS and Open Source products will continue 
to widen.  The only OS project I know about that seriously tried to 
improve fundamental architectural security issues was BitC and CoyotOS.  
BitC is a programming language designed to combine the speed of C with 
the soundness of strongly typed fundamental languages, thus preventing a 
lot of bug classes from the start, and enabling correctness proofs 
across the code.  The project won't be finished, since the main author, 
Jonathan Shapiro, will soon hold a "fairly senior position" in the 
Midori project at MS.

Andreas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/