Slashdot Mirror


The Case For Full Disclosure In The Linux Changelog

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.

9 of 234 comments (clear)

  1. You are making it too complicated by SumDeusExMachina · · Score: -1, Flamebait

    Although initially Mr. Cox's censorship affected all Linux users around the world equally, he and kernel developer Rik Van Riel hoped to establish a non-US website, somehow inaccessible to US readers, where uncensored changelogs could be posted in the future. (This can be found online at http://www.thefreeworld.net/non-US/.) He said that until the DMCA is overturned, "US citizens will have to guess about security issues [in the Linux kernel]."

    The reference to the DMCA being overturned is revealing. Mr. Cox wants this to happen, and his little tinpot emperor censorship game is intended, in his apparently delusional mind, as a powerful political statement toward that end. It does not seem to have occurred to him, in his current seemingly megalomaniacal state, that members of the US Congress probably do not use Linux, and even those few Congressional staffers who might know what Linux is probably don't build their own kernels, and so will never know about Mr. Cox's protest. The only thing Mr. Cox has achieved, or has any chance of achieving, by his action is to annoy US-based Linux users -- which is probably quite all right with him, safely out of reach in England, with his typical English resentment of the former colonies who have long since outstripped England in world influence.

    Mr. Cox has attempted to support his ridiculous and obviously politically-motivated censorship with the claim that his decision was based on legal advice (implying that he fears that documenting security-related kernel fixes places him at risk of being prosecuted under the DMCA's anti-circumvention provisions), but this seems highly unlikely to be true.

    For one thing, Mr. Cox has refused to identify the person who gave him this alleged advice, or even to provide any details of their reasoning (or, for that matter, their qualifications). The statement that he was acting on a "legal opinion", vague as that is, is absolutely all he has been willing to say, although he was asked for clarification by several readers of the linux-kernel mailing list.
    Furthermore, adequacy.org has consulted with a senior official of the Electronic Frontier Foundation (who are quite active in DMCA-related litigation, contributing both to the defense of Dimitry Sklyarov, and Dr. Edward Felten's suit against the RIAA) and two Silicon Valley-based attorneys with experience in copyright litigation. All three of these well-qualified sources laughed at the idea that Alan Cox could be prosecuted under the DMCA for providing Linux kernel changelogs; furthermore, not one of these sources was inclined to believe that Mr. Cox seriously believed himself to be risking prosecution. One of the sources, who is a Linux user and is familiar with Mr. Cox's history, said with a chuckle, "Alan's just having his fun, trying to make a statement."

    What amazes me most is that Mr. Cox is willing to abuse his authority as the maintainer of the Linux 2.2 kernel in the service of his political goals. As one of the most significant kernel developers, he should see himself as someone working in the interest of all Linux users to improve the kernel. Concealing important security information from US-based Linux users is simply incompatible with responsible professional conduct for someone in his position. Mr. Cox is entitled to his political views, but he should find appropriate occasions to express them.

    --

    Is your company running tools written by ma
  2. And who didn't see this coming? by SumDeusExMachina · · Score: 0, Flamebait
    Honestly, can we have a show of hands? First of all, let me start out by pointing to the sheer stupidity of a British citizen lending credence to an American law. Does this man know anything about precedent? Is "precedent" even in his vocabulary? Nice job, Alan, please don't ever become a lawyer.

    Now, not only has he failed to realize that the only people who won't be taking his actions at face value are all the people who already agree with him, but, let's face it, the information he was surpressing wasn't even covered by the DMCA. Remember, the DMCA covers encryption on copyrighted works. Since the Linux kernel has neither, it obviously has nothing to do with the DMCA and only serves to hurt the people that would need to know about security fixes. Way to go Alan, maybe you should stay out of Public Relations.

    In fact, maybe we have a new job in order for Mr. Cox: security auditing for Microsoft. After all, who could possibly be a stronger proponent of security through obscurity?

    --

    Is your company running tools written by ma
  3. Re:For God's sake by Anonymous Coward · · Score: -1, Flamebait
    Jesus, shut the fuck up you dumb American. Firstly, if you have a problem with Alan's performance, trying doing his job -- better. Secondly, don't you see this was a (slightly joking) objection to the DMCA?

    Christ, I'm glad all you idiots left this country 200 years ago, because it would be sheer hell trying to explain the obvious to you all the same.

  4. Alan Cox yet again by tannhaus · · Score: 1, Flamebait

    Alan Cox is definately beginning to irritate me in the last few months. First, he won't change over the VM, then he won't disclose the changelogs. He finally gave in on the VM.

    Mr. Cox, do you adhere to all the rules of the U.S. as a british citizen? I suppose you keep a library of U.S. lawbooks at your house so you won't violate any of our laws while in your home country.

    The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.

    The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention. This is simply ridiculous. You can't be put in jail for publishing changelogs to your own code.

    Oh my god...last week I tried to hack my own linux box! I'm a fugitive from justice!

    Personally, I vote Alan Cox finds him a nice little therapist somewhere in merry old England and tries to get some help.

  5. Re:Farting out your father's cum by Anonymous Coward · · Score: -1, Flamebait

    be careful what you ask for. I hear once subscriptions are in place, non-subscribers will see naked pictures of slashdot bitch Hemos.

  6. Re:Why should Cox risk jailtime ? by Anonymous Coward · · Score: -1, Flamebait

    The Russian was put in jail because he's a criminal software pirate.

    Are you equating security changelogs with piracy?

    And it's laughable to say Cox could go to jail for something no one but another Linux hacker would care about.

    I love the net. It gives people who know nothing about anything a forum to demonstrate their ignorance.

  7. Alan's taking the easy way out by SMN · · Score: 3, Flamebait
    This is liable to be score (-1, Unpopular Opinion), but it needs to be said:

    If Alan Cox really wants to make a point, he should put his money where his mouth is and LET himself be open to a suit under the DMCA. His current approach, hiding the changelogs, does nothing to stop the DMCA, and by submitting to it he's giving its backers exactly what they want.

    Laws don't get changed if nobody has the guts to challenge them. If Alan wants to get his point across, he should let himself be sued (not that it would actually happen, because I doubt any company really gives a damn what he puts in his changelog). Then he, like Felten and Sklyarov, has a great case to challenge the law with.

    Instead, this "spectacle" seems to be Alan submitting to the DMCA, then trying to attract as much attention as possible to his crying about it. I have no pity for this, and I hope the rest of his audience feels the same.

    --
    -- Imagine how much more advanced our technology would be if we had eight fingers per hand.
  8. Not Open Enough by Lazaru5 · · Score: 1, Flamebait

    I have always favored the BSD freenixes over Linux. One primary reason is that all code is maintained in publicly viewable CVS servers.

    Linux, unfortunately, is not. To the best of my knowledge, Linus doesn't even use CVS privately. If you want to upgrade your kernel, you have to wait for new releases in the form of full or patch tarballs delivered to kernel.org like mana from heaven (Linus). There's no easy way to see arbitrary changes in any file at any time. There's no reading commit logs.

    For that matter, there's no easy way to contribute. That is to say, there's not an _easier_ way. You have to mail your patches to some list or maintainer, etc. There's no public bug tracker.

    When will it be Open? Or is Free enough?

    --

    --
    My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
  9. fuck'em by Labandion · · Score: -1, Flamebait

    if cox is to damn chicken shit or maybe he is hiding something. what a fucking loser. just another linux fuck wad who needs him dumb ass