Re: thoughts on kernel security issues

From: Alan Cox
Date: Thu Jan 13 2005 - 17:41:23 EST


On Iau, 2005-01-13 at 21:03, Linus Torvalds wrote:
> On Thu, 13 Jan 2005, Alan Cox wrote:
> - no embargo, no rules, but "private" in the sense that it's supposed to
> be for kernel developers only or at least people who won't take
> advantage of it.
>
> _I_ think this is the one that makes sense. No hard rules, but private
> enough that people won't feel _guilty_ about reporting problems. Right
> now I sometimes get private email from people who don't want to point
> out some local DoS or similar, and that can certainly get lost in the
> flow.

And also not passed on to vendors and other folks which is a pita and
this would fix
>
> - _short_ embargo, for kernel-only. I obviously believe that vendor-sec
> is whoring itself for security firms and vendors. I believe there would
> be a place for something with stricter rules on disclosure.

Seems these two could be the same list with a bit of respect for users
wishes and common sense.

> It's not a black-and-white thing. I refuse to believe that most security
> problems are found by people without any morals. I believe that somewhere
> in the middle is where most people feel most comfortable.

Seems sane

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/