Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds on the Linux Security Process

Posted by michael on from the lockdown dept.

darthcamaro writes "Linus Torvalds thinks that Linux kernel security disclsoure should be completely open and he really doesn't like the vendor-security model of having a time embargo on security disclosure. 'I think kernel bugs should be fixed as soon as humanly possible, and any delay is basically just about making excuses,' Torvalds wrote. 'And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

18 of 280 comments (clear)

  1. What !? by Squatchman · · Score: 5, Funny

    kernel bugs

    Thou shalt not speak ill of the linux kernel!

    Oh wait, it's Linus.

  2. One person can't fix it alone. by teiresias · · Score: 5, Insightful

    any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

    I think he really hit the nail on the head with that comment. I can't tell you the number of times CRs or issues have been sent to me through e-mail which have either been lost or forgotten about on my part (sorry). However, using tracking programs which the entire group has access to (we use Mantis) not only are the problems kept on fresh but people will remind me of them or if they are feeling particularly bold, fix them themselves.

    --
    -Teiresias
  3. Summation of the article by Nosf3ratu · · Score: 5, Insightful
    "Quite frankly, nobody should ever depend on the kernel having zero holes," Torvalds wrote. "We do our best, but if you want real security, you should have other shields in place."

    Bingo.

    --
    The old Lie: Dulce et decorum est Pro patria mori
    1. Re:Summation of the article by Stevyn · · Score: 5, Funny

      Yeah, like Service Pack 2. That's got a firewall and everything!

    2. Re:Summation of the article by Erik+Hensema · · Score: 4, Insightful

      You should never depend on a single point of failure. If kernel security is your single point of failure, then you're at risk.

      However, you also shouldn't depend solely on "other shields in place" for security. Those shields might fail too.

      A simple example is apache. It almost never is run as root, as a security measure. However, when an attacker succeeds in gaining webuser privileges, you'll have to depend on kernel security.

      In short: try to make software as bugfree as possible and use multiple barriers that will have to fail before an attacker can 0wn your machine.

      --

      This is your sig. There are thousands more, but this one is yours.

  4. But... by nuclear305 · · Score: 5, Insightful

    "And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

    I don't disagree with what Linus is saying, but what difference does it make if 10 people are informed rather than 10 million when it still doesn't change the fact that only a select few can change the official kernel source? People in production environments aren't going to apply a patch created by Joe in his basement, they're going to want an official kernel patch.

    If the ones responsible for the affected part of the kernel are slow to handle a security issue, full disclosure IMHO is a bad thing.

    One could argue that full disclosure would motivate those responsible to fix the problem faster, but this is not always the case.

    If Linus is the only person that can change a specific part of the kernel, what good does notifying the world instead of just him do?

    1. Re:But... by DrSkwid · · Score: 4, Insightful

      If Linus is the only person that can change a specific part of the kernel, what good does notifying the world instead of just him do?

      Because some of us can change our own kernels while we wait for the official patch.

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  5. Re:You should listen to him... by sphealey · · Score: 5, Insightful
    Sorry to have to disagree, particularly about someone who is clearly far above my level in most respects, but .... Linus doesn't administer any significant number of Linux systems, nor is he responsible for any significant-sized networks. While I agree that full disclosure in a reasonable period of time (say 90 days) is best, immediate disclosure can leave thousands of systems vulnerable with no patches and no reasonable way to get them patched immediately even if a fix is available.

    sPh

  6. Closed Security by thegnu · · Score: 5, Funny

    I've never really gotten the mechanism whereby software giants keep their software secure by not telling anyone about the security hole until it's fixed. First, we know about information leaks. Secondly, it's terribly profitable for some people to sit around and figure out security holes so they can steal from people.

    Especially in the position that Microsoft is in, with the lion's share of the market, and a supposed interest in keeping my data secure, I would assume that the first move would be to notify their customers of any security hole that might be potentially harmful to me. Given the number of them, I guess it would keep my mailbox full, but I wouldn't mind.

    Oh, I don't use Windows. Nevermind. Yay for Linux (and Linus)!

    --
    Please stop stalking me, bro.
  7. There's a reason why Linus is Alpha-Geek.... by Anonymous Coward · · Score: 4, Insightful

    and this is it. I totally agree with his ideas and would prefer his solution -- total openness.

    "Otherwise it just becomes politics..." -- Linus Torvalds

  8. Politics by RangerRick98 · · Score: 4, Insightful
    I've seen quite a few comments about systems being left vulnerable with no solution if immediate disclosure is the policy. But from TFA:

    "I'd be very happy with a 'private' list in the sense that people wouldn't feel pressured to fix it that day," Torvalds wrote. "And I think it makes sense to have some policy where we don't necessarily make them public immediately in order to give people the time to discuss them. But it should be very clear that no entity (neither the reporter nor any particular vendor/developer) can require silence, or ask for anything more than 'let's find the right solution.'"


    Linus is just trying to keep the politics out of it, is all. He's not saying that every bug should be made public knowledge immediately, only that things shouldn't be kept secret for reasons other than the security of the users' systems.
    --
    "You're older than you've ever been, and now you're even older."
  9. Mailing list thread by OblongPlatypus · · Score: 4, Informative

    Since the article is pretty much a copy/paste job from the lkml, why not link directly to the thread in question?

    --
    -- If no truths are spoken then no lies can hide --
  10. Re:You should listen to him... by ichimunki · · Score: 5, Insightful

    Disclosure or not, if there is an exploit possible your systems are vulnerable. Would you not prefer knowing right away that your system is vulnerable? The exploit may have been discovered some time ago by a black-hat--he won't wait 90 days for you to have a chance to patch it before exploiting it. What you're saying makes it sound like the bug doesn't exist until somebody talks about it.

    --
    I do not have a signature
  11. Re:You should listen to him... by MBAFK · · Score: 5, Informative
    The systems would still be vulnerable with no patch available. The administrators might not know there was a vulnerability but an attacker may know about it.

    Keeping it a secret might put you at a greater risk - you don't know you might be in trouble but the bad people know about the problem.

    So reducing the number of people who know about the problem could make it worse rather than better.

  12. Re:You should listen to him... by A+beautiful+mind · · Score: 4, Informative

    IF someone would have linked to the full discussion, it would have turned out that he suggested a 5 working day embargo on the disclosure MAX. They say and i think i have to agree, that it's enough time for vendors to catch up. Anything more just makes the problem worse. They will disclose everything after that embargo of course. There are a lot of good ideas and views and Linus refined his opinion more than once so it would be good to read the original discussion and not react based on the submitter's pick.

    Just to note, im reading LKML for over a year now and i read most of the mail about this thread aswell.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  13. No! by 91degrees · · Score: 4, Interesting

    Scenario 1: Bug is detected. Full disclosure including exploit.

    Result: Mallory uses exploit. Alice releases a bugfix, Bob applies the fix. If it takes Alice andBob longer than Mallory, the server is compromised.

    Scenario 2: Bug is detected. Kept quiet.

    Result: Eventually Mallory detects the same bug. Exploits it. Server compromised.

    Scenario 3: Bug is detected. Released only to trusted developers.

    Result: Alice releases bugfix. Announces that it fixes a security hole. Gives general details of what the bug is. Mallory has to work out the details and exploit it. This gives bob a lot more time to apply the patch than scenario 1.

    So what's so great about full immediate disclosure?

  14. Re:On Linus by ajs · · Score: 5, Insightful

    This is a massive distortion. There are dozens of folks who are just as level-headed as Linus. Linus happens to get the lion's share of attention from the community, which is a bit of a paradox given his personality, but he's not alone by a long shot.

    Now, if you're just thinking of the handfull of interview-bait folks like RMS, ESR, etc. then yes Linus does tend to stand out as a non-politico.

  15. Re:You should listen to him... by m50d · · Score: 4, Insightful

    If there is an undisclosed exploit, your systems are vulnerable to whoever has done a deep kernel audit and found it. If there is a disclosed exploit and no patch, your systems are vulnerable to every script kiddie out there. In the case of services which can be turned off you might be better with disclosure, but how the hell do you plan to turn off your kernel? I know which situation I prefer.

    --
    I am trolling