Slashdot Mirror
The Case For Full Disclosure In The Linux Changelog
titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.
Now, not only has he failed to realize that the only people who won't be taking his actions at face value are all the people who already agree with him, but, let's face it, the information he was surpressing wasn't even covered by the DMCA. Remember, the DMCA covers encryption on copyrighted works. Since the Linux kernel has neither, it obviously has nothing to do with the DMCA and only serves to hurt the people that would need to know about security fixes. Way to go Alan, maybe you should stay out of Public Relations.
In fact, maybe we have a new job in order for Mr. Cox: security auditing for Microsoft. After all, who could possibly be a stronger proponent of security through obscurity?
Is your company running tools written by ma
Alan Cox is definately beginning to irritate me in the last few months. First, he won't change over the VM, then he won't disclose the changelogs. He finally gave in on the VM.
Mr. Cox, do you adhere to all the rules of the U.S. as a british citizen? I suppose you keep a library of U.S. lawbooks at your house so you won't violate any of our laws while in your home country.
The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.
The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention. This is simply ridiculous. You can't be put in jail for publishing changelogs to your own code.
Oh my god...last week I tried to hack my own linux box! I'm a fugitive from justice!
Personally, I vote Alan Cox finds him a nice little therapist somewhere in merry old England and tries to get some help.
If Alan Cox really wants to make a point, he should put his money where his mouth is and LET himself be open to a suit under the DMCA. His current approach, hiding the changelogs, does nothing to stop the DMCA, and by submitting to it he's giving its backers exactly what they want.
Laws don't get changed if nobody has the guts to challenge them. If Alan wants to get his point across, he should let himself be sued (not that it would actually happen, because I doubt any company really gives a damn what he puts in his changelog). Then he, like Felten and Sklyarov, has a great case to challenge the law with.
Instead, this "spectacle" seems to be Alan submitting to the DMCA, then trying to attract as much attention as possible to his crying about it. I have no pity for this, and I hope the rest of his audience feels the same.
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
I have always favored the BSD freenixes over Linux. One primary reason is that all code is maintained in publicly viewable CVS servers.
Linux, unfortunately, is not. To the best of my knowledge, Linus doesn't even use CVS privately. If you want to upgrade your kernel, you have to wait for new releases in the form of full or patch tarballs delivered to kernel.org like mana from heaven (Linus). There's no easy way to see arbitrary changes in any file at any time. There's no reading commit logs.
For that matter, there's no easy way to contribute. That is to say, there's not an _easier_ way. You have to mail your patches to some list or maintainer, etc. There's no public bug tracker.
When will it be Open? Or is Free enough?
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.