Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reporting Kernel Security Issues

Posted by timothy on from the top-men-are-working-on-it dept.

Omniscientist writes "A recent post on KernelTrap details the lkml post by Chris Wright talking about a centralized place to report security issues pertaining to the Linux Kernel and the discussion that was generated by it, including Chris's followup. It would appear that they now have created a security team to privately handle the bugs, who act as the alternative to reporting the flaw to the public immediately."

8 of 75 comments (clear)

  1. Good idea? by lachlan76 · · Score: 4, Insightful

    To be honest, I'd rather see any security problems in LKML, than keep them private...a private bug may not be fixed, but when there is a lot of public pressure to get a patch out, if it's not done *FAST* by the developers, someone in the community will do it. This is not the case if it is kept private.

    1. Re:Good idea? by Anonymous Coward · · Score: 5, Insightful

      Did you actually read the fine thread? All Chris is doing is creating a single point of contact for security related bugs. The current situation is that bugs are reported randomly to lkml, distros or whereever so some may fall through the net.

      A single point of contact is a good thing in my book.

    2. Re:Good idea? by tibike77 · · Score: 4, Insightful

      Well, it's a tradeoff issue... do you prefer that:

      a) all bugs get published "public"
      - each and every person can snoop around and either help fix it
      - or instead try to exploit it (even moreso, keep on exploiting it on "unpatched" systems long time after)

      OR

      b) all serious bugs get published "privately"
      - only "core contributors" get to see it and try to fix it
      - the rest of the population might not even know the bug exists until a patch is released (moreso, you might not even know what the bug was)

      Well, I guess (some) people prefer "version B" ;)

      --
      By reading this signature you agree to not disagree with the post you just read.
    3. Re:Good idea? by lachlan76 · · Score: 3, Insightful

      Well the headline made it seem like it was just a private list so that only the dev guys know about the problems. Now that I've gotten further through the thread it seems that Linus is uhh...strongly opposed to that idea.

      But if it's a security problem in the kernel and it gets reported to the vendor currently instead of lkml, what makes you think a single point of contact will be used properly?

    4. Re:Good idea? by pe1rxq · · Score: 3, Insightful

      but systems are less vunerable

      Nobody knowing about the bug doesn't make is less vulnerable.... It might make it less likely that somebody will abuse it, but the hole is still there.

      Keeping it silent only works if you are the only one capable of finding it. It has been shown time after time that that isn't true.

      Jeroen

      --
      Secure messaging: http://quickmsg.vreeken.net/
    5. Re:Good idea? by dmn · · Score: 2, Insightful

      ...and wasn't Linux all about "version A" ? Sure, full disclosure has it's pros and cons, but there is no way to fix the cons without giving up the whole philosophy altogether.

      I was completely astouned to hear that Linus himself agreed for a 5-working-day embargo on making known security issues public. Even if it proves to promote security in general, Linux will lose some of it's openness and what's worse - at the very heart - which I consider the security of a system to be.

      Today, if I choose Linux, I get to know virtually everything about the software I use. I get the source code, I can find out whether anything needs to be fixed and, if it's critical, I can fix it, constantly being _sure_, that my system is as secure as possible, knowing that there are no bugs kept secret from me.

      Ok, so maybe a few Linux users, or even admins have ever looked into the kernel code, to fix a bug, but that's not the point. I mean, how can you talk about cooperation and openness if you keep critical information available only for an eleet, which "knows better" and will give you the fix, as soon as they're done. This is IMO against the spirit of Linux.

      Or am I getting things wrong ?

  2. This is to stop commercial third party patches by Jack+Taylor · · Score: 4, Insightful

    Most of the comments I've read so far seem to be missing the point. The idea of this security team is to make sure that there aren't any publicly known exploits in the kernel without a patch being available; at the moment this is inevitable if a bug is reported directly to the kernel guys, due to the policy of immediate disclosure.

    This move is primarily to stop companies running linux from going to commercial vendors to patch their kernel for them, and thus keeping linux security centralised.

    --
    One good turn - gets all the covers.
  3. Re:Working on my own DS_Linux by DrSkwid · · Score: 2, Insightful

    we'd still be stuck with an age-old kernel like OpenBSD

    you say that like it's a bad thing ?

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter