Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds on the Linux Security Process

Posted by michael on from the lockdown dept.

darthcamaro writes "Linus Torvalds thinks that Linux kernel security disclsoure should be completely open and he really doesn't like the vendor-security model of having a time embargo on security disclosure. 'I think kernel bugs should be fixed as soon as humanly possible, and any delay is basically just about making excuses,' Torvalds wrote. 'And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

10 of 280 comments (clear)

  1. What !? by Squatchman · · Score: 5, Funny

    kernel bugs

    Thou shalt not speak ill of the linux kernel!

    Oh wait, it's Linus.

  2. One person can't fix it alone. by teiresias · · Score: 5, Insightful

    any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

    I think he really hit the nail on the head with that comment. I can't tell you the number of times CRs or issues have been sent to me through e-mail which have either been lost or forgotten about on my part (sorry). However, using tracking programs which the entire group has access to (we use Mantis) not only are the problems kept on fresh but people will remind me of them or if they are feeling particularly bold, fix them themselves.

    --
    -Teiresias
  3. Summation of the article by Nosf3ratu · · Score: 5, Insightful
    "Quite frankly, nobody should ever depend on the kernel having zero holes," Torvalds wrote. "We do our best, but if you want real security, you should have other shields in place."

    Bingo.

    --
    The old Lie: Dulce et decorum est Pro patria mori
    1. Re:Summation of the article by Stevyn · · Score: 5, Funny

      Yeah, like Service Pack 2. That's got a firewall and everything!

  4. But... by nuclear305 · · Score: 5, Insightful

    "And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

    I don't disagree with what Linus is saying, but what difference does it make if 10 people are informed rather than 10 million when it still doesn't change the fact that only a select few can change the official kernel source? People in production environments aren't going to apply a patch created by Joe in his basement, they're going to want an official kernel patch.

    If the ones responsible for the affected part of the kernel are slow to handle a security issue, full disclosure IMHO is a bad thing.

    One could argue that full disclosure would motivate those responsible to fix the problem faster, but this is not always the case.

    If Linus is the only person that can change a specific part of the kernel, what good does notifying the world instead of just him do?

  5. Re:You should listen to him... by sphealey · · Score: 5, Insightful
    Sorry to have to disagree, particularly about someone who is clearly far above my level in most respects, but .... Linus doesn't administer any significant number of Linux systems, nor is he responsible for any significant-sized networks. While I agree that full disclosure in a reasonable period of time (say 90 days) is best, immediate disclosure can leave thousands of systems vulnerable with no patches and no reasonable way to get them patched immediately even if a fix is available.

    sPh

  6. Closed Security by thegnu · · Score: 5, Funny

    I've never really gotten the mechanism whereby software giants keep their software secure by not telling anyone about the security hole until it's fixed. First, we know about information leaks. Secondly, it's terribly profitable for some people to sit around and figure out security holes so they can steal from people.

    Especially in the position that Microsoft is in, with the lion's share of the market, and a supposed interest in keeping my data secure, I would assume that the first move would be to notify their customers of any security hole that might be potentially harmful to me. Given the number of them, I guess it would keep my mailbox full, but I wouldn't mind.

    Oh, I don't use Windows. Nevermind. Yay for Linux (and Linus)!

    --
    Please stop stalking me, bro.
  7. Re:You should listen to him... by ichimunki · · Score: 5, Insightful

    Disclosure or not, if there is an exploit possible your systems are vulnerable. Would you not prefer knowing right away that your system is vulnerable? The exploit may have been discovered some time ago by a black-hat--he won't wait 90 days for you to have a chance to patch it before exploiting it. What you're saying makes it sound like the bug doesn't exist until somebody talks about it.

    --
    I do not have a signature
  8. Re:You should listen to him... by MBAFK · · Score: 5, Informative
    The systems would still be vulnerable with no patch available. The administrators might not know there was a vulnerability but an attacker may know about it.

    Keeping it a secret might put you at a greater risk - you don't know you might be in trouble but the bad people know about the problem.

    So reducing the number of people who know about the problem could make it worse rather than better.

  9. Re:On Linus by ajs · · Score: 5, Insightful

    This is a massive distortion. There are dozens of folks who are just as level-headed as Linus. Linus happens to get the lion's share of attention from the community, which is a bit of a paradox given his personality, but he's not alone by a long shot.

    Now, if you're just thinking of the handfull of interview-bait folks like RMS, ESR, etc. then yes Linus does tend to stand out as a non-politico.