Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds on the Linux Security Process

Posted by michael on from the lockdown dept.

darthcamaro writes "Linus Torvalds thinks that Linux kernel security disclsoure should be completely open and he really doesn't like the vendor-security model of having a time embargo on security disclosure. 'I think kernel bugs should be fixed as soon as humanly possible, and any delay is basically just about making excuses,' Torvalds wrote. 'And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

4 of 280 comments (clear)

  1. Mailing list thread by OblongPlatypus · · Score: 4, Informative

    Since the article is pretty much a copy/paste job from the lkml, why not link directly to the thread in question?

    --
    -- If no truths are spoken then no lies can hide --
  2. Re:You should listen to him... by MBAFK · · Score: 5, Informative
    The systems would still be vulnerable with no patch available. The administrators might not know there was a vulnerability but an attacker may know about it.

    Keeping it a secret might put you at a greater risk - you don't know you might be in trouble but the bad people know about the problem.

    So reducing the number of people who know about the problem could make it worse rather than better.

  3. Re:You should listen to him... by A+beautiful+mind · · Score: 4, Informative

    IF someone would have linked to the full discussion, it would have turned out that he suggested a 5 working day embargo on the disclosure MAX. They say and i think i have to agree, that it's enough time for vendors to catch up. Anything more just makes the problem worse. They will disclose everything after that embargo of course. There are a lot of good ideas and views and Linus refined his opinion more than once so it would be good to read the original discussion and not react based on the submitter's pick.

    Just to note, im reading LKML for over a year now and i read most of the mail about this thread aswell.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  4. Re:You should listen to him... by ajs · · Score: 3, Informative

    "I just run "apt-get update && apt-get dist-upgrade" once a day"

    Ah, what a nice world you live in.

    I do that at home. At work, I would be in a world of hurt if I did that. I have thousands of machines running a mix of in-house and external software which customers rely on for mission-critical stuff. I can't install every little patch just because it might make my frobnitzer go faster, and even when I WANT a fix, it's got to be tested in various production configurations first to see if it breaks something (you'd be surprised how often a security fix breaks something).

    So I read security updates from the vendor, and install what needs to be installed as soon as I can. If those security updates are coming to me days, weeks or even months after the script kiddies started playing with the exploit code... ugh.