Re: thoughts on kernel security issues
From: Kristofer T. Karas
Date: Thu Jan 13 2005 - 11:12:16 EST
Linus writes:
So I'd not personally mind some _totally_ open list. No embargo at all, no
limits on who reads it. The more, the merrier. However, I think my
personal preference is pretty extreme in one end
I'm tipping my security hat to Linus (and somewhat away from RFPolicy)
on this one. Keeping a large organization free from viruses and malware
becomes increasingly entertaining the more "day zero" variants there
are. And recently, we've seen a lot for the windoze platform here; at
least one major anti-virus player thanks us for sending them infected
executables to analyze. Waiting for some embargo to allow a researcher
to claim credit just does not work. We spend all of our time swatting
flies, waiting for a vendor fix; yet a disclose-without-delay
quick-and-dirty fix would have saved so many staff hours.
So it's embarrassing to everybody if the kernel.org kernel has a security
hole for longer than vendor kernels, but at the same time, most _users_
run vendor kernels anyway
Not here! :-) All of my security infrastructure runs kernel.org
kernels. (I don't want any vendor "goodies" hidden in places I don't
know about.) I punch a button on my heavily-hacked Slackware boxen, and
the latest kernel, the latest internet-facing servers, the latest
critical libraries are automatically downloaded, compiled and installed
whenever newer version numbers exist. Time to a patched system from
when the author creates a patch is measured in hours; I compare that to
the day(s) or weeks I can wait for a vendor to get around to doing the
same thing.
Kris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/