Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For Full Disclosure In The Linux Changelog

Posted by timothy on from the asking-and-telling dept.

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.

15 of 234 comments (clear)

  1. And who exactly.... by EvlPenguin · · Score: 2, Interesting

    ...would prosocute the kernel developers as a result of full disclosure? I thought the DMCA's "circumvention" clauses only apply to the company/entity that made the product which is being exploited? I seriously doubt anyone on the kernel development team would satrt a lawsuit.

    Alan has done some great work. But he really needs to step off of his soap box for a few minutes.

    --

    --
    #nohup cat /dev/dsp > /dev/hda & killall -9 getty
  2. DMCA? by autopr0n · · Score: 2, Interesting

    How on earth could Linux security information be a violation of the DMCA? Linux is not a 'content protection system'. The DMCA dosn't say you can't hack, it only says you can't hack content protection.

    --
    autopr0n is like, down and stuff.
  3. That Alan Cox coment was a protest! by Cyclops · · Score: 2, Interesting

    Come on, how can you not understat that that comment from Alan Cox was a protest (though using some british sense of humour?).

    There is full disclosure. Just look the diff.

    I can't understand how people can claim to understand free software development and then have these claims.

    Hugs, Cyclops

  4. How is a changlog a circumvention dev ? by Billly+Gates · · Score: 3, Interesting
    Is linux being used to hack descrambler boxes? Is it being used to decrypt dvd's? What exactly does Linux do? THe answer is that linux is a kernel that runs on pc hardware. There is nothing illegal or controversal about it. Unless you use BSD of course. :-) But my point is that a changelog is not circumvention device. It doesn't actually do anything. The case with the adobe and the russian programmer is different. He showed how to illegally open sensitve and copy-righted oops I mean controlled works without adobe's permission. The only person who can sue alan is linus. I don't think he will do this. Anyway alan did not reverse engineer linux anyway. He just read about security related issues and manually fixed the source. The gpl allows this. Since linux is only used to boot a pc and not circumvent a copyright there is nothing even Linus can do. In other words Alan is full of shit.

    --
    http://saveie6.com/
  5. Re:This mean that Linux devs and Microsoft agree.. by hearingaid · · Score: 3, Interesting

    Actually, I did read the article, and I stand by my complaint about Lasser. Of course, he's much closer to the truth than the /. poster I was replying to, but I still think he's overstating the case.

    Cox did release the changelogs. He just didn't release them in the United States. Lasser doesn't mention that fact. Apparently, he's unaware of the world past the land of the DMCA.

    --

    my old sig used to be funny, but then slashcode ate it and now it's not funny anymore

  6. Nitpicks by twilight30 · · Score: 2, Interesting

    Cox is Welsh, not English. Cox lives in Wales, not England. If you're going to copy verbatim something off Adequacy, realise that even they are not going to get everything right.

    --
    ========================================
    Death will come, and will have your eyes
    -- Pavese
  7. Careful - Europe is not that far behind... by jneves · · Score: 2, Interesting

    The EUCD - European Union Copyright Directive - has to be transposed to national law until December 22nd 2002. That means we'll also have a DMCA-like legislation in the near future.

  8. Publishing source violates DMCA by z19752002 · · Score: 3, Interesting

    Everything a person needs to know to circumvent access controls is in the operating system source code. Therefore, publishing source code to an OS is a violation of the DMCA.

  9. Is this official Redhat policy? by glrotate · · Score: 1, Interesting

    Alan claimed to have recieved legal advice. Redhat has a responsibility to it's customers to disclose security info, and Alan is an employee of Redhat. What does redhat have to say about this?

  10. Re:You are making it too complicated by Anonymous Coward · · Score: 1, Interesting

    as a u.s. citizen would you say linux is more important than your freedom of speech?
    if anything, mr. cox should be applauded for putting a thorn (however small) right in the eye of this stupid, anti-american law.
    thank you mr. cox, for making an important point and for standing up for all of us having to deal with the total idiocy that is the dmca.

  11. Re:The dangers of illegality by Xylantiel · · Score: 2, Interesting

    offtopic but...

    It just struck me that they had to pass a CONSTITUTIONAL AMENDMENT in order to make liquor illegal, but for all the illegal drugs today just a law was passed. Seems like a case of reinterpretation of what freedoms are protected under the constitution. I'll have to look into it by seeing when the drug laws were passed and such, but it's an interesting topic.

    I'm starting to get very dissapointed in my US history as I learned in High School (I took mostly world history in college). They teach you about when the US got all these great freedoms but they don't teach you about when they were taken away again.

  12. Re:AC interview on Newsforge, linked on Linuxtoday by Anonymous Coward · · Score: 1, Interesting

    OK, so find a mirror or other explanation that does have the info you want in easily digestable format. As you have said, not all agree with him, or have some legit need of the documentation. (Note that this is intended as a US-only ban, so the info is in fact available through other sources.)

    As for Linux' use as a soapbox, it's not all that unusual - see various writings/rants by RMS, ESR, and various and sundry {Linux|Open Source|Free Software} pundits.

    Glenn

  13. Re:Hrm. by Ami+Ganguli · · Score: 3, Interesting
    That's an interesting scenario, but I believe the content needs to be protected by the creator, not a user. So, if I perchance some MP3s, and someone hacked my account to grab them, That hack wouldn't be considered illegal under the DMCA.

    I'm not sure that's true, but even if it is I don't see how it makes a difference. The most likely scenario is a content creator uses his network drive while creating the content. Somebody else who has access to the machine hacks it and steals the content.

    And remember, judges are supposed to go by the spirit of the law, not necessarily the letter.

    I'm not sure that's really true either, but by the time the case gets to the courts the poor programmer has already spent several months in jail. Think about this for a second. Why should a U.K. citizen risk getting embroiled in the American legal system? He doesn't live there, vote there, or have any particular interest in becoming a martyr like Dimitri. Would you get involved in human rights protests in China while on vacation there? I doubt it. You can sympathize, but in the end it's not your battle. It's the same with Alan.

    --
    It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
  14. Re:Alan's taking the easy way out by crucini · · Score: 2, Interesting

    First, it's criminal prosecution, not just a suit. Second, why is Alan obliged to become a martyr to an unjust law in a foreign country? Did you travel to Afghanistan and commit adultery so you could be stoned to death, thereby convincing the Afghanis of the injustice of sharia? Better yet, why don't you go to England and violate the RIP law by refusing to provide decryption keys to a block of data the police want. Maybe when you're living in a British prison Alan Cox will be inspired to come live in an American prison.

  15. Re:I simply do not understand by innocent_white_lamb · · Score: 3, Interesting

    I mean, who would be the complaintant in the case?

    As the DMCA is a federal law, the complainant in that case would be the same as the complainant the next time someone gets busted by the DEA for importing cocaine. The US federal government. No need for a "real person" to file a complaint or anything like that.

    Would they not have to demonstrate some kind of damage that resulted from the alleged misdeed?

    That's not included in the DMCA, sorry. No need to actually prove that any damage was done.

    Surely, he's just making a point, right?

    Nope, he's genuinely concerned about going to jail. Mr. Cox has apparently checked with a lawyer (always a good idea when unsure of what the law really is) and has been advised as follows:

    (a) It is unlikely but not out-of-the-question that he would be arrested and incarcerated in the US for publishing the changelogs.
    (b)It is extremely unlikely (almost impossible) that he would actually be CONVICTED under the DMCA.

    Having considered the matter, Mr. Cox takes the not unreasonable position that he would rather not take a chance of being arrested and tossed into jail until he eventually gets to trial. It's a small chance, sure, but the possibility does apparently exist.

    I don't see how anyone can fault Mr. Cox for taking action to insure that he does not get tossed into jail in the USA the next time he visits there, He's checked with a lawyer and been advised that there is a risk; he chooses not to take that risk.

    --
    If you're a zombie and you know it, bite your friend!