Re: thoughts on kernel security issues

[Alan Cox]

On Iau, 2005-01-13 at 21:03, Linus Torvalds wrote:
> On Thu, 13 Jan 2005, Alan Cox wrote:
>  - no embargo, no rules, but "private" in the sense that it's supposed to 
>    be for kernel developers only or at least people who won't take 
>    advantage of it.
> 
>    _I_ think this is the one that makes sense. No hard rules, but private 
>    enough that people won't feel _guilty_ about reporting problems. Right 
>    now I sometimes get private email from people who don't want to point
>    out some local DoS or similar, and that can certainly get lost in the
>    flow.

And also not passed on to vendors and other folks which is a pita and
this would fix
> 
>  - _short_ embargo, for kernel-only. I obviously believe that vendor-sec 
>    is whoring itself for security firms and vendors. I believe there would 
>    be a place for something with stricter rules on disclosure.

Seems these two could be the same list with a bit of respect for users
wishes and common sense.

> It's not a black-and-white thing. I refuse to believe that most security 
> problems are found by people without any morals. I believe that somewhere 
> in the middle is where most people feel most comfortable.

Seems sane

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/