Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds on the Linux Security Process

Posted by michael on from the lockdown dept.

darthcamaro writes "Linus Torvalds thinks that Linux kernel security disclsoure should be completely open and he really doesn't like the vendor-security model of having a time embargo on security disclosure. 'I think kernel bugs should be fixed as soon as humanly possible, and any delay is basically just about making excuses,' Torvalds wrote. 'And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

13 of 280 comments (clear)

  1. Best line from the article by krgallagher · · Score: 2, Informative
    "Quite frankly, nobody should ever depend on the kernel having zero holes," Torvalds wrote. "We do our best, but if you want real security, you should have other shields in place."

    Why would you have all your ports exposed with nothing running on them? I have a hardware firewall. I only run HTTP ad FTP when I need them and then turn them off when I am through. It is really just simple security. Be smart. Oh yeah I subscribe to security lists and patch when security patches are released.

    --

    Insert Generic Sig Here:

    1. Re:Best line from the article by ZorinLynx · · Score: 2, Informative

      This doesn't work in all situations. For instance, at a university where you have a system a large number of students can log into.

      Kernel local root escalations don't affect MOST systems, but those few systems where a large number of arbritrary users can log into them to work on projects and such are highly vulnerable to them. Especially in an academic environment where a student might be tempted to try to crack root to peek at someone else's work.

      -Z

  2. Mailing list thread by OblongPlatypus · · Score: 4, Informative

    Since the article is pretty much a copy/paste job from the lkml, why not link directly to the thread in question?

    --
    -- If no truths are spoken then no lies can hide --
  3. Re:Lost? by actiondan · · Score: 2, Informative

    things can be delayed for the right reasons (e.g. for testing).

    I think the sentence is saying that things getting lost is not a desirable reason for a delay, which makes sense to me.

    Maybe if it said: "the risk of the thing getting lost and thus delayed for the wrong reasons", its intent would be clearer.

  4. Re:You should listen to him... by MBAFK · · Score: 5, Informative
    The systems would still be vulnerable with no patch available. The administrators might not know there was a vulnerability but an attacker may know about it.

    Keeping it a secret might put you at a greater risk - you don't know you might be in trouble but the bad people know about the problem.

    So reducing the number of people who know about the problem could make it worse rather than better.

  5. Another good writeup on KernelTrap by Anonymous Coward · · Score: 2, Informative

    There's a good writeup on this thread at KernelTrap, too. Includes links to the full thread, which is quite fascinating.

  6. Re:You should listen to him... by A+beautiful+mind · · Score: 4, Informative

    IF someone would have linked to the full discussion, it would have turned out that he suggested a 5 working day embargo on the disclosure MAX. They say and i think i have to agree, that it's enough time for vendors to catch up. Anything more just makes the problem worse. They will disclose everything after that embargo of course. There are a lot of good ideas and views and Linus refined his opinion more than once so it would be good to read the original discussion and not react based on the submitter's pick.

    Just to note, im reading LKML for over a year now and i read most of the mail about this thread aswell.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  7. Re:So basically... by wild_berry · · Score: 2, Informative

    I think that TFA features Linus also saying that he's in favour of the security thing being closed so as to allow people time to discuss the problem and to not have to drop everything to fix the problem that day.

  8. Re:On Linus by GoofyBoy · · Score: 2, Informative

    >He believes in full disclosure of bugs, not for any philosophical bullshit or imaginary right-to-know,

    No he doesn't.

    From the article:
    "I'd be very happy with a 'private' list in the sense that people wouldn't feel pressured to fix it that day," Torvalds wrote. "And I think it makes sense to have some policy where we don't necessarily make them public immediately in order to give people the time to discuss them.

    --
    The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
  9. Re:So basically... by Anonymous Coward · · Score: 1, Informative

    You should read the original mail. Linus says he wants the fix to be published ASAP (or as he proposes, a maximum of 5 day delay of the fix).
    The announcement of the security hole is a whole different issue and can be delayed as long as people want.

    BTW, if you don't fix it immediately you are vulnarable and in trouble. The sooner a fix (a fix, not a announcement of a hole) is out the better.

  10. Re:You should listen to him... by boodaman · · Score: 2, Informative

    As soon as more than one person knows them, secrets don't exist.

    If there is one person out there who knows about a vulnerability and/or exploit, there is more than one, and that means your systems are at risk instantly, embargo or not.

    I'd rather know right away my systems are at risk...worst case, I walk over and yank the ethernet cable until the issue can be resolved. Waiting even 5 days means I'm vulnerable for those 5 days, which is unacceptable. I want the vulnerability fixed immediately. My company's clients would much rather know we took drastic measures to keep their data safe instead of sitting there with our asses hanging out waiting for some corporate vendor to put the best spin on things and generate a press release.

    90 days? You've got to be kidding...that means my systems and networks are sitting ducks for 90 days. Unacceptable.

    And yes, I do administer a significant number of Linux systems (and Solaris) so I know what I am talking about.

  11. Re:I found Linus' arguments rather inconsistent by A+beautiful+mind · · Score: 2, Informative

    I couldn't quote the letter by word when he explained what you feel an incosistency but if you accept my interpretation of it, he said that his view about total openness may be a bit extreme SO he suggested this compromise between full embargo(vendor-sec) and total openness to strike a healthy balance.

    I just want to point out aswell that the reason why Linus doesn't want to do with anything with vendor-sec is politics.

    I have to point out on a sidenote though, but it seems to fit here that Andres Salomon started a new patchset, the "-as".

    "Hi,

    I'm announcing a new kernel tree; -as. The goal of this tree is to form a stable base for vendors/distributors to use for their kernels. In order to do this, I intend to include only security fixes and obvious bugfixes, from various sources. I do not intend to include driver updates, large subsystem fixes, cleanups, and so on. Basically, this is what I'd want 2.6.10.1 to contain."

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  12. Re:You should listen to him... by ajs · · Score: 3, Informative

    "I just run "apt-get update && apt-get dist-upgrade" once a day"

    Ah, what a nice world you live in.

    I do that at home. At work, I would be in a world of hurt if I did that. I have thousands of machines running a mix of in-house and external software which customers rely on for mission-critical stuff. I can't install every little patch just because it might make my frobnitzer go faster, and even when I WANT a fix, it's got to be tested in various production configurations first to see if it breaks something (you'd be surprised how often a security fix breaks something).

    So I read security updates from the vendor, and install what needs to be installed as soon as I can. If those security updates are coming to me days, weeks or even months after the script kiddies started playing with the exploit code... ugh.