Re: thoughts on kernel security issues

[Kristofer T. Karas]

Linus writes:

> So I'd not personally mind some _totally_ open list. No embargo at all, no 
> limits on who reads it. The more, the merrier. However, I think my 
> personal preference is pretty extreme in one end

I'm tipping my security hat to Linus (and somewhat away from RFPolicy) 
on this one.  Keeping a large organization free from viruses and malware 
becomes increasingly entertaining the more "day zero" variants there 
are.  And recently, we've seen a lot for the windoze platform here; at 
least one major anti-virus player thanks us for sending them infected 
executables to analyze.  Waiting for some embargo to allow a researcher 
to claim credit just does not work.  We spend all of our time swatting 
flies, waiting for a vendor fix; yet a disclose-without-delay 
quick-and-dirty fix would have saved so many staff hours.


> So it's embarrassing to everybody if the kernel.org kernel has a security
> hole for longer than vendor kernels, but at the same time, most _users_
> run vendor kernels anyway

Not here!  :-)  All of my security infrastructure runs kernel.org 
kernels.  (I don't want any vendor "goodies" hidden in places I don't 
know about.)  I punch a button on my heavily-hacked Slackware boxen, and 
the latest kernel, the latest internet-facing servers, the latest 
critical libraries are automatically downloaded, compiled and installed 
whenever newer version numbers exist.  Time to a patched system from 
when the author creates a patch is measured in hours; I compare that to 
the day(s) or weeks I can wait for a vendor to get around to doing the 
same thing.

Kris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/