The Case For Full Disclosure In The Linux Changelog

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.

How is a changlog a circumvention dev ?

[Billly+Gates]

Is linux being used to hack descrambler boxes? Is it being used to decrypt dvd's? What exactly does Linux do? THe answer is that linux is a kernel that runs on pc hardware. There is nothing illegal or controversal about it. Unless you use BSD of course. :-) But my point is that a changelog is not circumvention device. It doesn't actually do anything. The case with the adobe and the russian programmer is different. He showed how to illegally open sensitve and copy-righted oops I mean controlled works without adobe's permission. The only person who can sue alan is linus. I don't think he will do this. Anyway alan did not reverse engineer linux anyway. He just read about security related issues and manually fixed the source. The gpl allows this. Since linux is only used to boot a pc and not circumvent a copyright there is nothing even Linus can do. In other words Alan is full of shit.

Re:This mean that Linux devs and Microsoft agree..

[hearingaid]

Actually, I did read the article, and I stand by my complaint about Lasser. Of course, he's much closer to the truth than the /. poster I was replying to, but I still think he's overstating the case.

Cox did release the changelogs. He just didn't release them in the United States. Lasser doesn't mention that fact. Apparently, he's unaware of the world past the land of the DMCA.

Publishing source violates DMCA

[z19752002]

Everything a person needs to know to circumvent access controls is in the operating system source code. Therefore, publishing source code to an OS is a violation of the DMCA.

Re:Hrm.

[Ami+Ganguli]

That's an interesting scenario, but I believe the content needs to be protected by the creator, not a user. So, if I perchance some MP3s, and someone hacked my account to grab them, That hack wouldn't be considered illegal under the DMCA.

I'm not sure that's true, but even if it is I don't see how it makes a difference. The most likely scenario is a content creator uses his network drive while creating the content. Somebody else who has access to the machine hacks it and steals the content.

And remember, judges are supposed to go by the spirit of the law, not necessarily the letter.

I'm not sure that's really true either, but by the time the case gets to the courts the poor programmer has already spent several months in jail. Think about this for a second. Why should a U.K. citizen risk getting embroiled in the American legal system? He doesn't live there, vote there, or have any particular interest in becoming a martyr like Dimitri. Would you get involved in human rights protests in China while on vacation there? I doubt it. You can sympathize, but in the end it's not your battle. It's the same with Alan.

Re:I simply do not understand

[innocent_white_lamb]

I mean, who would be the complaintant in the case?

As the DMCA is a federal law, the complainant in that case would be the same as the complainant the next time someone gets busted by the DEA for importing cocaine. The US federal government. No need for a "real person" to file a complaint or anything like that.

Would they not have to demonstrate some kind of damage that resulted from the alleged misdeed?

That's not included in the DMCA, sorry. No need to actually prove that any damage was done.

Surely, he's just making a point, right?

Nope, he's genuinely concerned about going to jail. Mr. Cox has apparently checked with a lawyer (always a good idea when unsure of what the law really is) and has been advised as follows:

(a) It is unlikely but not out-of-the-question that he would be arrested and incarcerated in the US for publishing the changelogs.
(b)It is extremely unlikely (almost impossible) that he would actually be CONVICTED under the DMCA.

Having considered the matter, Mr. Cox takes the not unreasonable position that he would rather not take a chance of being arrested and tossed into jail until he eventually gets to trial. It's a small chance, sure, but the possibility does apparently exist.

I don't see how anyone can fault Mr. Cox for taking action to insure that he does not get tossed into jail in the USA the next time he visits there, He's checked with a lawyer and been advised that there is a risk; he chooses not to take that risk.