Slashdot Mirror
The Case For Full Disclosure In The Linux Changelog
titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.
Does this mean that Linux devs and Microsoft agree that full disclosure is bad?
The kernel is the one thing on my systems that I don't update all that regularly. Mostly because it tends to trash my systems out for whatever reason - so I can see where keeping the security changes out might obfuscate openings for people. But then again - if I know that someone can break into my system because I'm running 2.2.13 - I'm more likely to upgrade, fixing the problem.
-T
My reality check bounced.
i mean, aside from the whole DMCA can of worms, it may help hackers, but if its "secure" in the first place after these changes are put in place. My understanding is that if the attackers know what the changes are, it ought to be irreivant, as they ought not to be able to gain access. This is more like another "security through obscurity" trick, than anything.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
Comment removed based on user account deletion
how many times does it have to be repeated: Disclose, Disclose, Disclose.
Full disclosure is essential to the success of any project, especially where security is involved. Heck, even Suits (ornery business types) understand this: in a corporation or LLC, lack of disclosure can lead to loss of limited personal liability.
This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.
We depend on the proper functioning of group development and understanding in Linux. From folks who just want to keep boxes on their home DSL/cable lines secure, to others (such as myself) who are involved in web hosting businesses, the need is real for disclosure.
This is very troubling. Surely I'm not getting the whole story here, at least I hope I'm not.
The United States hasn't been the land of the free since the 1960s, and the DMCA just puts us one step closer towards not having freedom of speech. If Alan Cox feels that he needs to block all Americans from seeing the Linux changelogs to make his point, so be it. It's not like he's blocking people who live in free countries from viewing the changelogs. And if the US repeals the DMCA and doesn't pass a similar law, Cox will open up the changelogs again - he believes in keeping them open but doesn't want to get arrested for it, unlike Microsoft who wants to keep them closed as a business strategy.
Thank you for discosing your meta-discosure position on discosing discosed information.
I will now disclothe for all the non-disclosure people in this room. Thank you.
...would prosocute the kernel developers as a result of full disclosure? I thought the DMCA's "circumvention" clauses only apply to the company/entity that made the product which is being exploited? I seriously doubt anyone on the kernel development team would satrt a lawsuit.
Alan has done some great work. But he really needs to step off of his soap box for a few minutes.
--
#nohup cat
How on earth could Linux security information be a violation of the DMCA? Linux is not a 'content protection system'. The DMCA dosn't say you can't hack, it only says you can't hack content protection.
autopr0n is like, down and stuff.
Dude. One of the worst aspects of the DMCA is that it makes violation a federal crime. No lawsuit is required.
This is a pretty good discussion of the whole debacle for The register.
No, Alan Cox is not pro non-disclosure. But it does seem to have been an unintended side affect of his swipe at the DMCA
The international nature of Linux development makes it a potential platform for protest and discontent, but at the same time, developers can and do seem to recognize the importance of their role in the endeavor. They should be excused for occasionally "acting out", imho.
Politicians aren't made overnight.
Am I totally missing something? If you really want to know what was changed (if not why), can't you just diff the code of the two versions?
I don't think we really need to know HOW the bad code could be exploited...the smart people should be able to figure that out for themselves by looking at the code. Why help the script kiddies. "Fixed some major security flaws" type message is good enough for me as a user.
-Pete
Soccer Goal Plans
Now, not only has he failed to realize that the only people who won't be taking his actions at face value are all the people who already agree with him, but, let's face it, the information he was surpressing wasn't even covered by the DMCA. Remember, the DMCA covers encryption on copyrighted works. Since the Linux kernel has neither, it obviously has nothing to do with the DMCA and only serves to hurt the people that would need to know about security fixes. Way to go Alan, maybe you should stay out of Public Relations.
In fact, maybe we have a new job in order for Mr. Cox: security auditing for Microsoft. After all, who could possibly be a stronger proponent of security through obscurity?
Is your company running tools written by ma
Come on, how can you not understat that that comment from Alan Cox was a protest (though using some british sense of humour?).
There is full disclosure. Just look the diff.
I can't understand how people can claim to understand free software development and then have these claims.
Hugs, Cyclops
...he just doesn not want to go to jail.
The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development. You cannot think about computer security without considering the legal aspects. Of course full disclosure would be better, but at what price?
Cox could *actually* go to jail in his next visist to the USA in case he did it. (Think not? Dimitry also didn't believe it could happen.) I am sure you can get the information of what was changed in the kernel by other means (linux-kernel?), but it is very important to be registered in the log that we are being limited by the DMCA. I don't know, perhaps in a nicer future someone will look back at these logs and ask why he didn't describe the problems, and then they will remember how the abuse of corporate power has changed law in a uncostitutional and limiting way.
We are not talking about boys playing in a BBS, we are talking about real men with real families, people important in our community, that could go to jail because of stupid laws in the lack of this responsability.
This is only being restricted to the US. The rest of us all have this information.
If you really want to see it, click here:
kernel-2.2.20.log
kernel-2.2.20pre11.log
I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.
Take the Source from the Formver Version, and the Current One, compare the two, and note all the changes..... The information is obviously there, its just that Alan just isn't giving us the spoon anymore...
What, me worry?
http://saveie6.com/
What work of yours has been affected by the DMCA and what did you do about it?
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
From the article:
:) But what's the alternative?
Although commercial tools are available that scan for vulnerabilities, the lag time between development of the exploit and the next periodic update to security scanning packages is too long for many enterprises.
Not to mention that the commercial tools usually cost $$$, and have their own problems and shortcomings; the alternative being to download the exploit from bugtraq and try it yourself against your machines.
From my experience - I work as a unix sysadmin for a small-to-medium software company - waiting for vendor updates (any vendor, from Sun to M$) is akin to giving up... blocking the traffic in the firewall is to survive. You have to know what to block, obviously.
So, IMHO there is nothing like first-hand experiencing the exploits. I know the script-kiddies say the same thing.
-- No sig today
It seems to me, even as a Brithish Citizen Living in Britian, Alan has made more of a visible and rational protest than any of the whiners... (who btw probably have the access etc to protest in a more effective manner themselves, but have they?) I know being American does NOT usually mean a humour imparement.... In fact...
--
"we live in a post-ideological world..." - Billy Bragg.
Second, why is everyone here so upset? Oh, hang on. This affects, um who was it? Oh thats right, the Americans. We really shouldn't upset them should we? Most of the comments that I have seen modded up so far basically say one of the following things:
Well, sadly:
Hands up all of the americans who have written their senator, state and federal. Hands up to all of those who have given financial, or other, support to movements who are trying to repeal the DMCA. Hands up all those who would just rather whinge when that law inconveniences them. Hmm. Thought so, on that last question the number of hands went up by 10.
If you are really so cut up about it, figure out what has changed (it isn't really that hard, it has been talked about in the previous article) and post it yourself. Then to prove to Alan what a fool he is, walk down to the DA's office and get a written statement saying that they will not prosecute you for releasing that information. Make entirely clear to them that you have released information that could help people circumvent rights management, and get the DA to sign saying that they would not prosecute you for releasing this information.
Personally, I don't think that this will happen, since most people would rather make Alan the bad guy over taking any personal risk. I dare you to prove me wrong.
Maybe we would all do better following Linus's methods. Let's say you need to turn in an Essay on Lord Of The Flys, it's simple:
As you can see, this eases your everyday life. It gets rid of the unintended problems that spring from caring about anything but the task at hand.
--Josh
There are exactly 42,935,718 letter sized sheets in a square mile.
What if there is some serious kernel security hole in pre-2.2.20 and 2.0.x kernels affecting Bastille, RedHat up to 7.0 and EVERY OTHER linux system having a pre-2.2.20 kernel installed? What the heck is Alan hiding?
Cox is Welsh, not English. Cox lives in Wales, not England. If you're going to copy verbatim something off Adequacy, realise that even they are not going to get everything right.
========================================
Death will come, and will have your eyes
-- Pavese
That's an interesting scenario, but I believe the content needs to be protected by the creator, not a user. So, if I perchance some MP3s, and someone hacked my account to grab them, That hack wouldn't be considered illegal under the DMCA.
File permissions are really more for privacy then they are for IP control. And remember, judges are supposed to go by the spirit of the law, not necessarily the letter. Just because you could theoretically rig something up to be a content control mechanism, doesn't mean that the courts would look on them as such.
And also, I don't believe that you can be convicted for circumventing your own technology, any more then you could be sued for violating the GPL on software you wrote (and own the copyright on).
There needs to be a plaintiff after all.
autopr0n is like, down and stuff.
Is why people think software with its encryption is any different from other products.
Is Ford or Firestone sueing the group that discovered the flaw when you put an Explorer on Firestone tires?
Are lockmakers sueing those that pick locks?
Why do software companies think they're so "special" in that regard?
Isn't there a consumers' association in the US?
If there is, I don't know how they act, but in many countries this sort of association tries to keep regular companies on their toes by regularly testing their products and giving them a thumbs-up or thumbs-down verdict. Also if consumers are having problems with a company due to a breach of contract or bad sale or whatever, the association has a bunch of lawyers on their payroll who are willing to sue.
Wouldn't it just be a great idea if encryption-breakers could team up with that kind of organisation? I mean, it is of course in the consumer's interest that this sort of work goes on.
...place to detail security changes. Isn't the purpose of the Changelog to provide a brief at-a-glance notification of changes? After all you don't want the 10k of gorey details about why ext3 driver was patched nor should there probably be security alerts. Instead how about make another document or document directory in the Documentation that details stuff like this instead of harping on maintainers of Changelog?
We all know that that is illegal in the USA, thanks to the DMCA, and in a little over one year, will also be illegal in most of Europe, thanks to the EUCD - European Union Copyright Directive.
My question is: Why should he take the risk ? Until know, Sklyarov is still in jail, Felten hasn't got the courts permission to present his article and I still can't get a DVD player with any GNU/Linux distribution. Isn't this enough to make one think twice before entering the security field ?
America: Land of the Bree, home of the Artichoke.
Nice flame pasted from another site anyways.
"The reference to the DMCA being overturned is revealing. Mr. Cox wants this to happen, and his little tinpot emperor censorship game is intended, in his apparently delusional mind, as a powerful political statement toward that end. It does not seem to have occurred to him, in his current seemingly megalomaniacal state, that members of the US Congress probably do not use Linux, and even those few Congressional staffers who might know what Linux is probably don't build their own kernels, and so will never know about Mr. Cox's protest."
To this I laugh. Many have heard of Linux. Imagine if you paint Linux as an MS competitor (MS did). Now say that developement of one of the few viable competitors is threatened by the DMCA coupled with the crappy fruits that have already fallen from this tree.
"Mr. Cox has attempted to support his ridiculous and obviously politically-motivated censorship with the claim that his decision was based on legal advice (implying that he fears that documenting security-related kernel fixes places him at risk of being prosecuted under the DMCA's anti-circumvention provisions), but this seems highly unlikely to be true."
Says you or rather the origional poster of advocacy. If that isn't you, that's a breach of copyright btw.
"One of the sources, who is a Linux user and is familiar with Mr. Cox's history, said with a chuckle, "Alan's just having his fun, trying to make a statement.""
Hey why didn't you tell us your source of legal advice. You held AC's to a highstandard we hold yours to the same.
Flame away but at least not be full of shit.
Elias Levy wrote an eloquent rebuttal to the Microsoft essay. But I'd like to zero on in one particularly egregious claim Culp makes in his argument: that an administrator "doesn't need to know how a vulnerability works in order to understand how to protect against it."
The M.I.B's (Microsofties In Black)would be proud.
Just claim "you don't need to know".
And the 'Little Flashie Thingies' don't hurt either.
If it is not on fire, it is a software problem.
... is beginning to turn into a refuge for lazy people and bored teenagers.
I mean, on the one hand you've got a bunch of people crying that this assists firms like Microsoft. On the other, you've got users who copy verbatim writings they've already posted at other weblogs.
I'm beginning to think even reading comments (1 or below) at Slashdot is a waste of time. What do you think?
========================================
Death will come, and will have your eyes
-- Pavese
Alan Cox is definately beginning to irritate me in the last few months. First, he won't change over the VM, then he won't disclose the changelogs. He finally gave in on the VM.
Mr. Cox, do you adhere to all the rules of the U.S. as a british citizen? I suppose you keep a library of U.S. lawbooks at your house so you won't violate any of our laws while in your home country.
The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.
The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention. This is simply ridiculous. You can't be put in jail for publishing changelogs to your own code.
Oh my god...last week I tried to hack my own linux box! I'm a fugitive from justice!
Personally, I vote Alan Cox finds him a nice little therapist somewhere in merry old England and tries to get some help.
The EUCD - European Union Copyright Directive - has to be transposed to national law until December 22nd 2002. That means we'll also have a DMCA-like legislation in the near future.
Everything a person needs to know to circumvent access controls is in the operating system source code. Therefore, publishing source code to an OS is a violation of the DMCA.
Well, since I have no way to know if security holes :)
exist in the Linux kernel, I will have to switch
to another operating system that I can verify problems
with. Obviously if people think Linux can be run
in a production environment before, it won't be now.
Good thing for the BSDs at least.
DMCA forces Alan Cox to censor Changelog
The message on the other side of this sig is false.
This seems to involve them directly. A representative of their company is withholding security information, and claiming to due so under advice from legal counsel. Did this counsel come from RedHat, or is RedHat letting individual employees set company policy?
Nice flame pasted from another site anyways.
Sure, and I could understand it being moderated up as funny (provided you thought it was original); Adequacy can be quiet amusing if you like that sort of thing. How anyone could regard it as "informative" though is beyond belief...
Alan claimed to have recieved legal advice. Redhat has a responsibility to it's customers to disclose security info, and Alan is an employee of Redhat. What does redhat have to say about this?
he was taking the piss!!
Point being, a couple of days ago there was an article linked there to Newsforge with an interview with Alan Cox about his views on the DMCA and these changelogs.
For the lazy, the essential point is that AC has gotten legal advice that he very well could be charged in the US for posting the vulnerabilities based on an interpretation of the DMCA, but that no "sane" US court would convict him. However, he does not want to spend 6 months in the US to go through the process.
So, basically, he's making a political point about stupid laws. He's welcome to if that what he wants. As others have said, it's not like most people interested in kernel changes can't use diff.
Glenn
The DMCA does not specifically cover 'encryption' on 'copyrighted works'.
It covers COPYRIGHT PROTECTION MECHANISMS. You just assume those must be encrypted.
ie: Let's say a new CD format came out that just used a couple of bits to determine if a work is permitted to be copied (and requires a new player to play, etc). Someone who reveals a way to 'ignore' those bits, ie: by hotwiring the device is also violating the DMCA.
The linux kernel could very well have someone's copyrighted work on it, and giving someone the ability to obtain root access without authorization in order to copy that work could be constituted as a violation of the act. Yes, it's a stretch.. but not completely out to lunch. That's how broad the language of the DMCA is.
As for the 'sheer stupidity' of a British Citizen doing this... what about that Russian Citizen who was arrested for this very law?
If Alan wants to ever visit the US, say, to go to a conference, or the Superbowl, or whatever... he'll have to make sure he stears clear of US law, no?
Alan isn't a proponent of security through obscurity. He's a proponent of not getting arrested upon entering the United States.
as a u.s. citizen would you say linux is more important than your freedom of speech?
if anything, mr. cox should be applauded for putting a thorn (however small) right in the eye of this stupid, anti-american law.
thank you mr. cox, for making an important point and for standing up for all of us having to deal with the total idiocy that is the dmca.
Fight bad laws like DMCA. Join the EFF. It's that simple.
The DMCA isn't about encryption.
It's also not about flaws in tires, or bugs in software.
It's about technological systems that protect copyrighted works.
This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.
And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt so some of your purchase goes to stop the DMCA?
If you have, then I applaud your actions and encourage you to continue engaging in constructive solutions. If not, then put up or shut up. Far too many people are bitching about this problem and taking no substantive action.
It is unreasonable to expect Cox to behave differently. He's seen what happened to Dmitry. He knows what could happen if he were to disclose this information to Americans, then set foot in the United States. Cox did the right thing.
My car gets 40 rods to the hogshead, and that's the way I likes it!
Alan isn't a proponent of security through obscurity. He's a proponent of not getting arrested upon entering the United States.
That's assuming, of course, that when he goes to the Superbowl, he gives a presentation on how to break into, say, the RIAA's Linux systems that hold tons of copyrighted works. Skylarov clearly violated US law while in the US. Cox has done nothing of the sort. I wish you so-called opponents of the DMCA would come off as something other than poorly-informed whiners, it might help your PR.
Is your company running tools written by ma
A debatable point, as the US Constitution Article XVIII, ratified in 1919, forbade the "manufacture, sale, or transportation of intoxicating liquors". This article was repealed in 1933, after prohibition proved its total uselessness in preventing alcohol consumption, but there are similar laws today prohibiting the use of several recreational drugs. The main effect of such prohibition is creating a strong incentive for organized crime. The prohibition is no obstacle to former drug users becoming presidents of the USA, for instance.
As Robert Heinlein said: "I am free, no matter what rules surround me. If I find them tolerable, I tolerate them; If I find them too obnoxious, I break them. I am free because I know that I alone am responsible for everything I do" (The Moon is a Harsh Mistress, 1966).
This doesn't mean that we should tolerate any such stupid laws as the DMCA or drug prohibition. Those laws have the very dangerous side effect of creating a large number of corrupt law enforcement officers. Corruption in law enforcement is, IMHO, a much greater danger to freedom.
Mod this up.
This is the first post I've seen that calls it like it is.
As a Linux user and admin I really hate it when some key developer uses my OS of choice as a soapbox for entirely unrelated political protest.
Bad British humor or not, the DMCA and changelogs have nothing to do with each other. Cox is doing *nothing* to get the DMCA changed and is only hurting Linux.
As if my Congressman would know or care that Cox didn't release Linux version 2.2.20 security changelogs to the US. Sheesh. The arrogance is stunning.
If the kernel change logs can be used to provide information to hackers that would result in criminal liability, does not the entire kernel source provide the same information?
Doesn't that imply that the entire Linux Kernel Source should be closed and only Binaries provided?
If Alan Cox is allowed to use Linux as his own political soapbox, then Linux itself is history. Where the hell is Linus?
nonsense. No thorn has been placed anywhere except in the ass of American victims of Alan's personal politcal protest.
Here here. As a Canadian (our government is currently CONSIDERING a law similar to the DMCA) I fully support Alan Cox's actions on this issue.
Oh, Bullshit... Alan hasn't put a thorn in anything. All he's done is make himself look like a fool.
Dinivin
If Alan Cox really wants to make a point, he should put his money where his mouth is and LET himself be open to a suit under the DMCA. His current approach, hiding the changelogs, does nothing to stop the DMCA, and by submitting to it he's giving its backers exactly what they want.
Laws don't get changed if nobody has the guts to challenge them. If Alan wants to get his point across, he should let himself be sued (not that it would actually happen, because I doubt any company really gives a damn what he puts in his changelog). Then he, like Felten and Sklyarov, has a great case to challenge the law with.
Instead, this "spectacle" seems to be Alan submitting to the DMCA, then trying to attract as much attention as possible to his crying about it. I have no pity for this, and I hope the rest of his audience feels the same.
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
If anything, the argument that Mr. Cox puts forth just makes your "fight" look silly.
Who cares about such laws in US. People living in US have much worse laws and problems to take care of. I'm not saying DMCA isn't bad (if such laws were implemented here in Sweden I would raise my voice high), but as US citizen there is just so much crap to take care of that DMCA may look like a small problem. Step one should be to learn what democracy and free speech REALLY is! (ok - this maybe IS realted after all)
Go US Go
for what? ...taking caution with us laws?
Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.
The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.
Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.
This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.
If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.
Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.
My interpretation of Alan's actions were that they were more of a joke or satirical political comment. Am I wrong? I don't read the kernel mailing lists or anything, so it's not like I have the best insight into the issue. Would someone who actually somewhat knows Alan mind telling us his real motivation for censoring the changelogs?
but it's irritating nonetheless. (OT: Lived in London for 5 years, returned to Canada 2 years ago.)
========================================
Death will come, and will have your eyes
-- Pavese
Anyone know if Jay Beale is still employed by MandrakeSoft?
========================================
Death will come, and will have your eyes
-- Pavese
I have always favored the BSD freenixes over Linux. One primary reason is that all code is maintained in publicly viewable CVS servers.
Linux, unfortunately, is not. To the best of my knowledge, Linus doesn't even use CVS privately. If you want to upgrade your kernel, you have to wait for new releases in the form of full or patch tarballs delivered to kernel.org like mana from heaven (Linus). There's no easy way to see arbitrary changes in any file at any time. There's no reading commit logs.
For that matter, there's no easy way to contribute. That is to say, there's not an _easier_ way. You have to mail your patches to some list or maintainer, etc. There's no public bug tracker.
When will it be Open? Or is Free enough?
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
Hey, one of you IANAL-types. Help me out here.
I can't understand why Alan claims to have a legitimate concern of getting arrested on his next visit to the US. I mean it's one thing to publish code that exploits somebody else's lackluster security features (i.e., Skylarov); it's quite something else to simply publish the security status of your own code base.
Surely the DMCA, as bad as it is, can't send someone to jail for disclosing their *own* security info? (OK, so the kernel isn't technically Alan's, but he is the code's primary maintainer). I mean, who would be the complaintant in the case? Would they not have to demonstrate some kind of damage that resulted from the alleged misdeed?
Someone help me out, I simply can't believe there's a legitimate reason to fear arrest in this case. Surely, he's just making a point, right?
If not...my God. WTF happened to my country? I want it back.
Liberal (adj.): Free from bigotry; open to progress; tolerant of others.
Here's the full uncensored changelog for Linux 2.2.20:
/proc bug and OF fb name size bug (Segher Boessenkool)
2.2.20 final
o Final fixes for the computone driver (Michael Warfield)
2.2.20pre12
o Update davicom driver to fix oopses (Sten Wang)
o Updated PC300 driver - fix SCA-II DMA bugs
(Daniela P. R. Magri Squassoni)
o Make syn cookies per socket (Andi Kleen)
o Computone driver fixes for fast PC's (Michael Warfield)
| Follow on devfs patches didnt apply so dropped
o DAC960 update (Leonard Zubkoff)
2.2.20pre11
o Security fixes
- Quota buffer overrun , possibly locally (Solar Designer)
exploitable
- Ptrace race - local root exploit (Rafal Wojtczuk,
- Symlink local denial of service attack Solar Designer,
fix Linus Torvalds)
- Sparc exec fixups (Solar Designer)
o Sparc updates (Dave Miller)
o Add escaped usb hot plug config item (Ryan Maple)
o Fix eepro10 driver problems (Aris)
o Make request_module return match 2.4 (David Woodhouse)
o Update SiS900 driver (Hui-Fen Hsu)
o Update ver_linux to match 2.4 (Steven Cole)
o Final isdn fixups for 2.2 (Kai Germaschewski)
o scsi tape fixes from 2.4 (Kai Mäkisara)
o Update credits entry (Henrik Storner)
o Fix scc driver hang case (Jeroen)
o Update credits entry (Dave Jones)
o Update FAT documentation (Hirokazu Nomoto)
o Small net tweaks (Dave Miller)
o Fix cs89xx abuse of skb->len (Kapr Johnik)
2.2.20pre10
o Update the gdth driver (Achim Leubner)
o Fix prelink elf loading in 2.2 (Jakub Jelinek)
o 2.2 lockd fixes when talking to HP/UX (Trond Myklebust)
o 3ware driver update (Adam Radford)
o hysdn driver update (Kai Germaschewski)
o Backport via rhine fixes (Dennis Bjorklund)
o NFS client fixes (Trond Myklebust, Ion Badulescu,
Jim Castleberry, Crag I Hagan.
Adrian Drzewiecki)
o Blacklist TEAC PD-1 to single lun (Wojtek Pilorz)
o Fix null request_mode return (David Woodhouse)
o Update credits entry (Fernando Fuganti)
o Fix sparc build with newer binutils (Andreas Jaeger)
o Starfire update (Ion Badulescu)
o Remove dead USB files (Greg Kroah-Hartmann)
o Fix isdn mppp crash case (Kai Germaschewski)
o Fix eicon driver (Kai Germaschewski)
o More pci idents (Andreas Tobler)
o Typo fix (Eli Carter)
o Remove ^M's from some data files (Greg Kroah-Hartmann)
o 64bit cleanups for isdn (Kai Germaschewski)
o Update isdn certificates (Kai Germaschewski)
o Mac update for sysrq (Ben Herrenschmidt)
2.2.20pre9
o Document ip_always_defrag in proc.txt (Brett Eldrige)
o Update S/390 asm for newer gcc (Ulrich Weigand
o Update S/390 documentation Carsten Otte
o Update s390 dump too and co)
o Update s/390 dasd to match 2.4
o Backport s/390 tape driver from 2.4
o FDDI bits for s/390
o Updates for newer pmac laptops (Tom Rini)
o AMD760MP support (Johannes Erdfelt)
o Fix PPC oops on media change (Tom Rini)
o Fix some weird but valid input combinations (Tom Rini)
on PPC
o Add additional checks to irc dcc masquerade (Juanjo Ciarlante,
Michal Zalewski)
o Update 2.2 ISDN maintainer (Kai Germaschewski)
o Fix 3c505 with > 16Mb of RAM (Paul)
o Bring USB into sync with 2.4.7 (Greg Kroah-Hartmann)
2.2.20pre8
o Merge DRM fixes from 2.4.7 tree (me)
o Merge sbpcd fixes from 2.4.7 tree
o Merge moxa buffer length check
o Merge bttv clip length check
o Merge aha2920 shared irq from 2.4.7 tree
o Merge MTWEOF fix from 2.4.6 tree
o Merge serverworks AGP from 2.4.6 tree
o Merge sbc60xxx watchdog fixes from 2.4.6
o Merge lapbether fixes from 2.4.6
o Merge bpqether fixes from 2.4.6
o Merge scc fixes from 2.4.6
o Merge lmc memory leak fixes from 2.4.6
o Merge sm_wss fixes from 2.4.6
o Resync AGP support with 2.4.6
o Merge epca fixes from 2.4.5
o Merge riscom8 fixes from 2.4.5
o Merge softdog fixes from 2.4.5
o Merge specialix fixes from 2.4.5
o Merge wdt/wdt_pci fixes from 2.4.5
o ISDN cisco hdlc fixes (Kai Germaschewski)
o ISDN timer fixes (Kai Germaschewski)
o isdn minor control change backport (Kai Germaschewski)
o Backport ELCR MP 1.1 config/PCI routing stuff (John William)
o Backport isdn ppp fixes from 2.4 (Kai Germaschewski)
o Backport isdn_tty fixes from 2.4 (Kai Germaschewski)
o eicon cleanups (Armin Schindler)
| Armin can you double check the clashes were ok
o Fix an ntfs oops (Anton Altaparmakov)
o Fix arp null neighbour buglet (Dave Miller)
o Update sparc version strings, pci fixups (Dave Miller)
o Define CONFIG_X86 in 2.2 as well as 2.4 (Herbert Xu)
o Configure.help cleanups (Steven Cole)
o Add MODE_SELECT_10 to qlogic fc table (Jeff Andre)
o Remove dead oldproc variable (Dave Miller)
o Update starfire driver for 2.2 (Ion Badulescu)
o 8139too driver update (Jens David)
o Assorted race fixes for binfmt loaders (Al Viro)
o Update Alpha support for older boxes (Jay Estabrook)
o ISDN bsdcomp/ppp compression fixes (Kai Germaschewski)
2.2.20pre7
o Merge rose buffer management fixes (Jean-Paul Roubelat)
o Configure.help updates (Steven Cole)
o Add Steven Cole to credits (Steven Cole)
o Update kbuild list info (Michael Chastain)
o Fix slab.c doc typo (Piotr Kasprzyk)
o Lengthen parport probe timeout (Jean-Luc Coulon)
o Fix vm86 cleanup (Stas Sergeev)
o Fix 8139too build bug (Jürgen Zimmermann)
o Fix slow 8139too performance (Oleg Makarenko)
o Sparc64 exec fixes (Solar Designer)
2.2.20pre6
o Merge all the pending ISDN updates (Kai Germaschewski)
| These are sizable changes and want a good testing
o Fix sg deadlock bug as per 2.4 (Douglas Gilbert)
o Count socket/pipe in quota inode use (Paul Menage)
o Fix some missing configuration help texts (Steven Cole)
o Fix Rik van Riel's credits entry (Rik van Riel)
o Mark xtime as volatile in extern definition (various people)
o Fix open error return checks (Andries Brouwer)
2.2.20pre5
o Fix a patch generation error, replaces 2.2.20pre4 which is
wrong on ad1848
2.2.20pre4
o Fix small corruption bug in 82596 (Andries Brouwer)
o Fix usb printer probing (Pete Zaitcev)
o Fix swapon/procfs race (Paul Menage)
o Handle ide dma bug in the CS5530 (Mark Lord)
o Backport 2.4 ipv6 neighbour discovery changes (Dave Miller)
o FIx sock_wmalloc error handling (Dave Miller)
o Enter quickack mode for out of window TCP data (Andi Kleen)
o Fix Established v SYN-ACK TCP state error (Alexey Kuznetsov)
o Sparc updates, ptrace changes etc (Dave Miller)
o Fix wrong printk in vdolive masq (Keitaro Yosimura)
o Fix core dump handling bugs in 2.2 (Al Viro)
o Update hdlc and synclink drivers (Paul Fulghum)
o Update netlink help texts (Magnus Damm)
o Fix rtl8139 keeping files open (Andrew Morton)
o Further sk98 driver updates. fix wrong license (Mirko Lindner)
text in files
o Jonathan Woithe has moved (Jonathan Woithe)
o Update cpqarray driver (Charles White)
o Update cciss driver (Charles White)
o Don't delete directories on an fs that reports (Ingo Oeser)
then 0 size when doing distclean
o Add support for the 2.4 boot extensions to 2.2 (H Peter Anvin)
o Fix nfs cache locking corruption on SMP (Craig Hagan)
o Add missing check to cdrom readaudio ioctl (Jani Jaakkola)
o Fix refclock build with newer gcc (Jari Ruusu)
o koi8-r fixes (Andy Rysin)
o Spelling fixes for documentation (Andries Brouwer)
2.2.20pre3
o FPU/ptrace corruption fixes (Victor Zandy)
o Resync belkin usb serial with 2.4 (Greg Kroah-Hartmann)
o Resync digiport usb serial with 2.4 (Greg Kroah-Hartmann)
o Rsync empeg usb serial with 2.4 (Greg Kroah-Hartmann)
o Resync ftdi_sio against 2.4 (Greg Kroah-Hartmann)
o Bring keyscan usb back into line with 2.4 (Greg Kroah-Hartmann)
o Resync keyspan_pda usb with 2.4 (Greg Kroah-Hartmann)
o Resync omninet usb with 2.4.5 (Greg Kroah-Hartmann)
o Resync usb-serial driver with 2.4.5 (Greg Kroah-Hartmann)
o Resync visor usb driver with 2.4.5 (Greg Kroah-Hartmann)
o Rsync whiteheat driver with 2.4.5 (Greg Kroah-Hartmann)
o Add edgeport USB serial (Greg Kroah-Hartmann)
o Add mct_u232 USB serial (Greg Kroah-Hartmann)
o Update usb storage device list (Stas Bekman, Kaz Sasayma)
o Bring usb acm driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring bluetooth driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring dabusb driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring usb dc2xx driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring mdc800 usb driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring rio driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring USB scanner drivers into line with 2.4.5 (Greg Kroah-Hartmann)
o Update ov511 driver to match 2.4.5 (Greg Kroah-Hartmann)
o Update PCIIOC ioctls (esp for sparc) (Dave Miller)
o General sparc bugfixes (Dave Miller)
o Fix possible oops in fbmem ioctls (Dave Miller)
o Fix reboot/halt bug on "Alcor" Alpha boxes (Tom Vier)
o Update osst driver (Willem Riede)
o Fix syncppp negotiation bug (Bob Dunlop)
o SMBfs bug fixes from 2.4 series (Urban Widmark)
o 3ware IDE raid driver updates (Adam Radford)
o Fix incorrect use of bitops on non long types (Dave Miller)
o Fix reboot/halt bug on 'Miata' Alpha boxes (Tom Vier)
o Update Tim Waugh's contact info (Tim Waugh)
o Add TIOCGSERIAL to sun serial on PCI sparc32 (Lars Kellogg-Stedman)
o ov511 check user data more carefully (Marc McClelland)
o Fix netif_wake_queue compatibility macro (Andi Kleen)
2.2.20pre2
o Fix ip_decrease_ttl as per 2.4 (Dave Miller)
o Fix tcp retransmit state bug (Alexey Kuznetsov)
o Fix a few obscure sparc tree bugs (Dave Miller)
o Fix fb
o Fix complie with CONFIG_INTEL_RNG=y (Andrzej Krzysztofowicz)
o Fix rio driver when HZ!=100 (Andrzej Krzysztofowicz)
o Stop 3c509 grabbing other EISA boards (Andrzej Krzysztofowicz)
o Remove surplus defines for root= names (Andrzej Krzysztofowicz)
o Revert pre1 APIC change
2.2.20pre1
o Fix SMP deadlock in NFS (Trond Myklebust)
o Fix missing printk in bluesmoke handler (me)
o Fix sparc64 nfs (Dave Miller)
o Update io_apic code to avoid breaking dual (Johannes Erdfelt)
Athlon 760MP
o Fix includes bugs in toshiba driver (Justin Keene,
Greg Kroah-Hartmann)
o Fix wanpipe cross compile (Phil Blundell)
o AGPGART copy_from_user fix (Dawson Engler)
o Fix alpha resource setup error (Allan Frank)
o Eicon driver updates (Armind Schindler)
o PC300 driver update (Daniela Squassoni)
o Show lock owner on flocks (Jim Mintha)
o Update cciss driver to 1.0.3 (Charles White)
o Backport cciss/cpqarray security fixes (me)
o Update i810 random number generator (Jeff Garzik)
o Update sk98 driver (Mirko Lindner)
o Update sis900 ethernet driver (Hui-Fen Hsu)
o Fix checklist glitch in make menuconfig (Moritz Schulte)
o Update synclink driver (Paul Fulghum)
o Update advansys scsi driver (Bob Frey)
o Ver_linux fixes for 2.2 (Steven Cole)
o Bring 2.2 back into line with the master ISDN (Kai Germaschewski)
o Whiteheat usb driver update (Greg Kroah-Hartmann)
o Fix via_rhine byte counters (Adam Lackorzynski)
o Fix modem control on rio serial (Rogier Wolff)
o Add more Iomega Zip to the usb storage list (Wim Coekaerts)
o Add ZF Micro watchdog (Fernando Fuganti)
Excuse my ignorance on the subject, but isn't the kernel open source? Why couldn't one do a simple diff to see what's changed?
Can someone explain this plain and simple?
First, I agree with the original post that Alan Cox's behavior, aside from the legal issues, was fairly inconsiderate. However, I think that he was conscious of that fact, and as I understand it, he was acting under legal counsel.
However, you are right: The issue today is when and whether to document the exact nature of security issues.
Regarding software, I am a strong proponent of full disclosure. System and network security has several aspects, and the real security is found in how the network is designed, so that it can minimize security risks. Two networks running the same software and hardware may posess very different degrees of security due to their underlying infrastructure, etc. So disclosing the exact nature of a software vulnerability is not the same as giving instructions on how to break into a system.
However full disclosure does accomplish several things:
1: A reliable way to see which systems are vulnerable.
2: A clear understanding of what the log signatures of an attack would look like.
3: A clear understanding of how the exploit works so that administrators can make intelligent choices as to how to reduce or mitigate that risk.
The first one was covered in the article, but I see the second two as extrmely important as well.
LedgerSMB: Open source Accounting/ERP
I think I understand the reasoning behind this claim, that Alan Cox could have opened a Pandora's Box, so to speak.
I think not! Pandora's Box is a Microsoft product! It would be really amusing if Cox opened it.
Of course, Pandora's Box really describes my thoughts of NT...
LedgerSMB: Open source Accounting/ERP
Danny.
I have written over 900 book reviews
As I see it, Linux is open-source and a community project. Does the DMCA keep developers within an organization from communicating with each other? No. Therefore, it should not keep Mr. Cox from communicating errata to the organization that develops Linux, which happens to be the open-source community.
Now, having said that, it seems that some sticky points may come up when you consider that there are commercial entities that profit from reselling linux or, if you will, conveniently packaging it. Could they claim commercial wrong by revealing possible exploits? Hmmm?
Perhaps the most pragmatic approach would be to alter the license that the code is distributed under to say that the user/repackager recognizes the right of individuals to specify the existence of security holes and how to fix them. That these specifications do not diminish the commercial value but rather enhance them.
Mind you, this is not the comprehensive solution that Mr. Cox seeks. However, it is a solution that may be better suited to the community to which Mr. Cox belongs...and more feasible to boot. The DMCA is something we in the US have been saddled with. We should not let it disrupt the open source process.
And open source is at a grave disadvantage here: when Microsoft violates the GPL, nobody will know about it because it is hidden in gigabytes of messy binaries. But when Apache or the Linux kernel steps on someone's toes, everybody knows about it right away because the source code is open and widely read.
I don't have a solution for this problem other than that we need to become more active politically: open source software should not be at this disadvantage. But until the laws are fixed, decisions like Cox's, will be both rational and increasingly common. Stopgap technological measures, such as anonymous posting of such information, may help in the meanwhile, but they are far from perfect, both because they don't actually remove the legal liability and because they make development unnecessarily cumbersome.
Well, since I have no way to know if security holes :)
exist in the Linux kernel, I will have to switch
to another operating system that I can verify problems
with. Obviously if people think Linux can be run
in a production environment before, it won't be now.
Good thing for the BSDs at least.
OpenBSD says no REMOTE security holes in 4 years in the default installation. This is a far cry from saying now holes.
I really respect *BSD. In many instances, I think that it is somewhat more mature for some tasks than Linux. However, that does not change the argument that OpenBSD is secure because of distrobution issues more than kernel issues. And there are similar Linux distributions, such as Trustix which apply the same mentality. You, sir, are a troll.
LedgerSMB: Open source Accounting/ERP
More likely scenario: It'll now be impossible to get my boss to switch anything else of to Linux because if he hears about this, I'm going to have a tough time explaining how we don't get documentation on security issues because some guy over the pond thinks it's a cute way of protesting the DMCA.
Thanks Alan. Way to go on the pro-Linux advocacy front.
The "nonsense" here is the DMCA. Alan's is actually quite a rational response. If he ever finds himself accused under the DMCA, he can point to the fact that once apprised of his legal situation, he took proactive steps to change it. This would certainly mitigate if not eliminate any liability or guilt he has under the law.
Perhaps I should suggest to the FBI that Alan is a known multiple violator of the DMCA and they should extradite him?
If your copyrights were being violated in some way that had to do with previous Linux changelogs, you might be able to do just that, although it might depend on the details of the extradition treaties. What's your point?
Anyone see how Alan's soapboxism is silly now?
No. As you say, you're not as well known as Alan - and not being well-known, you're not exposed to the legal risks, due to greater scrutiny, to which higher-profile people are often subject. I'm sure Sklyarov is really glad to hear that you don't think the DMCA is anything to worry about.
Feel free to cut and paste and modify.
The wheel is turning, but the hamster is dead.
...today he seems to be off-balance, and doesn't seem to understand all of the issues about which he speaks. Apparently he has failed to note a couple of key facts:
Alan Cox hasn't censored himself. If Jon Lasser would fly to England or cross the border into either Mexico or Canada, he could find an Internet café somewhere where he could study the changelogs at his leisure.
It's his country that's done the censorship.
The DMCA has already made the full disclosure way he and everyone else who has the smallest clue about computer and information security knows to be effective illegal in the United States.
If he wants to bitch about it, let him either write to his congressman to get the law repealed, or emigrate to some other country that doesn't have a DMCA-like law.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
What does this have to do with Alan Cox? Everything...
The powers that be in the information sector know that the loss of IP rights would completely destroy the information economy and, as such, the US economy. They cannot let go of these laws. They need them to ensure the survivability of the US economy into the next century. This is why the DMCA will be defended at every turn. This is why any act of "civil disobediece' will be punished. And if it is a foreign citizen that needs to be punished (like Dimitri or Alan) so much the better. The only people who will be crying to defend these "evil hackers" would be a bunch of ineffective nerds who can't even figure out they need to support the mainstream political parties to get their voices heard and who go away after a news article disappears from Slashdot's front page.
So, no. I don't think that Alan is being paranoid or just making a point. What I think is that the Slashdot audience really doesn't understand the extent to which the US economy is supported by IP law and the extent to which our government will go to see those laws protected and extended.
So go ahead. The changelogs are out there. Go ahead and host them yourselves. That is if you're not afraid to. Oh? Got to stay in and watch that Seinfeld rerun, huh? Thought so...
That is all.
Alan, if you're reading, remember that you're in the UK, not the US, and don't pander to their damn silly DMCA "law" either as a joke or semi-seriously
it amazes me that the irony of mr. cox's simple act is lost on you.
i'll explain it this way...
let's say that country A has a law which prohibits you from making documentation available that details how a car door lock can be opened without a key.
now let's say country B has no such law.
citizen of country B is an expert on the mechanics of car door locks, and creates documentation detailing how car door locks for a very popular model of automobile can be opened without a key.
citizen of country B chooses not to make this documentation available to citizens of country A for fear of being prosecuted should he ever choose to travel to country A.
citizen of country A happens to be an owner of this model of automobile and is outraged that the expert, a citizen of country B, will not make this documentation available to him.
now, at the present time citizen of country A has many options available to him.
he can foam at the mouth, screaming bloody murder, because the expert will not give him what he, a citizen of the most free country in the world, wants (gasp!)
he can reflect on the greater implications involved in the experts' stance, and ask himself, 'why will this expert not give me this documentation'?
there a slew of other options citizen of country A has...
including but not limited to.
writing to the people who create the laws of country A and demand that this stupid, corporate-pandering law be removed.
breaking the law as a sign of defiance against the stupidity of it.
etc... et. al
anyway, let me know if you need more clarification on the above points.
thanks.
cvs diff > change.log
who the hell needs a changelog anyway?
Mr Cox is fully within his rights to not publish for fear of prosecution. It has been expressed that it was done as a protest, showing to what ridiculous limits the law can be taken. That is political protest. And I think, rather useless.
There are two ways to challenge a law. Political or judicial. Judicial challenge requires a person to be charged with an offense under the law, then argue before a judge the reasons why the law is unconstitutional. The judge can then declare the law invalid if he agrees with you. Unfortunately, it requires a large personal sacrifice, possibly jail time, expensive court costs, etc.
I propose a strategy, with agreement required by all involved. All possible violations of the DCMA must generate a complaint, requiring the FBI to enforce the law. The more cases, the more inane, the better. When brought before judges, they will see the danger of the law, rule against it, and build a jurisprudence against the law. Eventually the law will become defined very narrowly, or judged unconstitutional in it's entirety.
There are many instances of very bad laws being overturned by individuals forcing the authorities to prosecute, then judges throwing the cases out.
Derek
This is the smartest solution:
Alan discloses the Changelog with ROT26 encryption, and therefore he is himself covered by DMCA.. don't u think so ?
If Alan Cox thinks that the DMCA makes it illegal to publish the ChangeLog mentioning the vulnerabilities, then he also should realize that publishing the source to fix the vulnerabilities would be illegal as well. Think about it -- the ChangeLog provides hints, perhaps, but the patch from one revision to another provides crackers with detailed instructions on what must occur to exploit the vulnerability. If he were to apply his logic properly, he could only release full kernel binaries without the source to avoid DMCA violations.
First and foremost I respect and admire the work Mr. Cox does. And just as I am allowed to respect and admire his work I freely choose to disagree with his overt political opinions regarding the changelogs and the withholding of them from US citizens based on a law he is interpreting to include those changelogs.
Secondly I admit I am not an expert on the DMCA but from what I have read and studied so far his camparison of publishing changelogs -vs- circumvention devices/reverse engineering of document protection is the equivalent to comparing apples -vs- oranges.
In the Skylarov case for example,Mr. Skylarov wrote code to circumvent Adobes ebook encryption scheme.. correct? Then Adobe complained to authorities prompting an investigation and subsequently withdrew its complaint. After investigating it was determined by the FBI that he (Skylarov) violated US law by writing and distributing a "crack", code to circumvent Adobes encryption scheme so that people would not have to purchase content in Adobe ebook format. With his "crack" one could gain the content without paying for it. Whether or not you agree with proprietary formats or not, "stealing" it by way of circumvention is still petty theft in my opinion.
Back to how Cox fits in... Why would Mr. Cox fear his publishing of changelogs would be in violation? I have yet to see on Slashdot or his diary pages or from the main pages at that website a detailed explanation of exactly WHY he feels he needed to do this.
And if I am right it would take a whole lot more than simply publishing the changelogs to violate the DMCA. Correct me if I am wrong, but please show me proof (from sources that are legitamate). Would "NOT" publishing the changelogs feed into the premise that the DMCA is legitamite? Wouldn't the owner of the code have to actually submit a complaint to the authorities to be charged with a violation of the DMCA, similar to what Adobe did to Mr. Skylarov? BTW, since the linux kernel is open source and licensed under the GPL doesn't that in effect offer protection against a DMCA violation for publishing changelogs? I mean does Mr. Cox think Linus or someone else is going to complain to the FBI that he has somehow violated the DMCA by publishing changes he made to the Linux kernel? Why does he NOT worry about the changes to the kernel itself then? The kernel is obviously published all over the world includeing the US and it has his changes in it already doesn't it? That kinda seems oxymoronic in my opinion.
Lastly, the irony is that I have read some comments in this artice and on a previous Slashdot article that suggest the US laws are squashing freedom and the US government is oppressing its people, while Mr. Cox nor anyone else has mentioned anything about the UK's own RIP (Regulation of Investigatory Powers Act of 2000) from the Crown itself, which is a quite scary peice of legislation and comparable to the DMCA only it has a broader, less defined scope about it. Some links on the RIP are here: World Socialist Website , SiliconValley.com , ZDNet , The Register.
In summary, withholding changelogs sounds like just a little more "America bashing". While I typically choose not to be anti-anyone else my feelings of patriotism are quite high due to recent events in America. My personal view of a non-US citizen withholding information from US citizens/developers is counter productive in repealing the DMCA. Should he feel so strongly about the DMCA then I would invite him to become a US citizen and VOTE to repeal this ignorant law instead of bitching about it from some other place in the world that has its own share of ignorant laws and regulations. Yes, do something...anything but legitimizing the DMCA by withholding changelogs!
Zoom
Integrity is what you are when nobody is looking.