Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds on the Linux Security Process

Posted by michael on from the lockdown dept.

darthcamaro writes "Linus Torvalds thinks that Linux kernel security disclsoure should be completely open and he really doesn't like the vendor-security model of having a time embargo on security disclosure. 'I think kernel bugs should be fixed as soon as humanly possible, and any delay is basically just about making excuses,' Torvalds wrote. 'And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

11 of 280 comments (clear)

  1. One person can't fix it alone. by teiresias · · Score: 5, Insightful

    any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

    I think he really hit the nail on the head with that comment. I can't tell you the number of times CRs or issues have been sent to me through e-mail which have either been lost or forgotten about on my part (sorry). However, using tracking programs which the entire group has access to (we use Mantis) not only are the problems kept on fresh but people will remind me of them or if they are feeling particularly bold, fix them themselves.

    --
    -Teiresias
  2. Summation of the article by Nosf3ratu · · Score: 5, Insightful
    "Quite frankly, nobody should ever depend on the kernel having zero holes," Torvalds wrote. "We do our best, but if you want real security, you should have other shields in place."

    Bingo.

    --
    The old Lie: Dulce et decorum est Pro patria mori
    1. Re:Summation of the article by Erik+Hensema · · Score: 4, Insightful

      You should never depend on a single point of failure. If kernel security is your single point of failure, then you're at risk.

      However, you also shouldn't depend solely on "other shields in place" for security. Those shields might fail too.

      A simple example is apache. It almost never is run as root, as a security measure. However, when an attacker succeeds in gaining webuser privileges, you'll have to depend on kernel security.

      In short: try to make software as bugfree as possible and use multiple barriers that will have to fail before an attacker can 0wn your machine.

      --

      This is your sig. There are thousands more, but this one is yours.

  3. But... by nuclear305 · · Score: 5, Insightful

    "And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

    I don't disagree with what Linus is saying, but what difference does it make if 10 people are informed rather than 10 million when it still doesn't change the fact that only a select few can change the official kernel source? People in production environments aren't going to apply a patch created by Joe in his basement, they're going to want an official kernel patch.

    If the ones responsible for the affected part of the kernel are slow to handle a security issue, full disclosure IMHO is a bad thing.

    One could argue that full disclosure would motivate those responsible to fix the problem faster, but this is not always the case.

    If Linus is the only person that can change a specific part of the kernel, what good does notifying the world instead of just him do?

    1. Re:But... by DrSkwid · · Score: 4, Insightful

      If Linus is the only person that can change a specific part of the kernel, what good does notifying the world instead of just him do?

      Because some of us can change our own kernels while we wait for the official patch.

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  4. Re:You should listen to him... by sphealey · · Score: 5, Insightful
    Sorry to have to disagree, particularly about someone who is clearly far above my level in most respects, but .... Linus doesn't administer any significant number of Linux systems, nor is he responsible for any significant-sized networks. While I agree that full disclosure in a reasonable period of time (say 90 days) is best, immediate disclosure can leave thousands of systems vulnerable with no patches and no reasonable way to get them patched immediately even if a fix is available.

    sPh

  5. There's a reason why Linus is Alpha-Geek.... by Anonymous Coward · · Score: 4, Insightful

    and this is it. I totally agree with his ideas and would prefer his solution -- total openness.

    "Otherwise it just becomes politics..." -- Linus Torvalds

  6. Politics by RangerRick98 · · Score: 4, Insightful
    I've seen quite a few comments about systems being left vulnerable with no solution if immediate disclosure is the policy. But from TFA:

    "I'd be very happy with a 'private' list in the sense that people wouldn't feel pressured to fix it that day," Torvalds wrote. "And I think it makes sense to have some policy where we don't necessarily make them public immediately in order to give people the time to discuss them. But it should be very clear that no entity (neither the reporter nor any particular vendor/developer) can require silence, or ask for anything more than 'let's find the right solution.'"


    Linus is just trying to keep the politics out of it, is all. He's not saying that every bug should be made public knowledge immediately, only that things shouldn't be kept secret for reasons other than the security of the users' systems.
    --
    "You're older than you've ever been, and now you're even older."
  7. Re:You should listen to him... by ichimunki · · Score: 5, Insightful

    Disclosure or not, if there is an exploit possible your systems are vulnerable. Would you not prefer knowing right away that your system is vulnerable? The exploit may have been discovered some time ago by a black-hat--he won't wait 90 days for you to have a chance to patch it before exploiting it. What you're saying makes it sound like the bug doesn't exist until somebody talks about it.

    --
    I do not have a signature
  8. Re:On Linus by ajs · · Score: 5, Insightful

    This is a massive distortion. There are dozens of folks who are just as level-headed as Linus. Linus happens to get the lion's share of attention from the community, which is a bit of a paradox given his personality, but he's not alone by a long shot.

    Now, if you're just thinking of the handfull of interview-bait folks like RMS, ESR, etc. then yes Linus does tend to stand out as a non-politico.

  9. Re:You should listen to him... by m50d · · Score: 4, Insightful

    If there is an undisclosed exploit, your systems are vulnerable to whoever has done a deep kernel audit and found it. If there is a disclosed exploit and no patch, your systems are vulnerable to every script kiddie out there. In the case of services which can be turned off you might be better with disclosure, but how the hell do you plan to turn off your kernel? I know which situation I prefer.

    --
    I am trolling