Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux's Security Through Obscurity

Posted by CmdrTaco on from the we-all-do-it-sometimes dept.

An anonymous reader writes "The age-old full disclosure debate has been raging again, this time in no other place than at the foundations of the open-source flagship GNU/Linux operating system: within the Linux kernel itself. It beggars belief, but even Linux creator, Linus Torvalds, has advocated against the sort of openness on which Linux has thrived, arguing that security fixes to the kernel should be obscured in changelogs, saying 'If it's not a very public security issue already, I don't want a simple "git log + grep" to help find it.' Unfortunately, it's not kernel exploit writers who need to grep the changelog in order to find kernel vulnerabilities. On the contrary, it's downstream distributors who rely on changelog information in order to decide when to patch the kernels of their distributions, in order to keep their users safe."

3 of 215 comments (clear)

  1. The idealistic young become the cynical old. by HungryHobo · · Score: 4, Interesting

    And so the cycle continues.

    The thing is that while security through obscurity is a fools game it can also hurt your users to publish exact details of the security vulnerabilities you've found in your own product before many of your users have had a chance to patch the problem.

    1. Re:The idealistic young become the cynical old. by gmack · · Score: 4, Interesting

      In both. There were some that were Linux only but quite a few affected OpenBSD as well.

      It's not that they didn't do a good job and they clearly did a much better job than the SSH daemon they replaced it's just that the Linux distros adopting it increased it's userbase by a lot and as a side affect increased the the number of people who saw a need to look at the code.

  2. Wisdom from Ted T'so, as usual. by Medievalist · · Score: 4, Interesting

    Read this post to get some perspective:

    http://article.gmane.org/gmane.linux.kernel/707044

    Linus is being blunt, as usual, and he's telling everybody what his personal policy is towards disclosure. If he finds a bug, he fixes it, and he doesn't rate security bugs as more or less important than other bugs because he's a kernel hacker, and therefore security bugs are not his sole focus in life. He doesn't use any special language to highlight or obscure security fixes in the changelog, he just describes the fix, which is what people are claiming is "security by obscurity".

    From that, people looking for something to bitch about have created this kerfuffle; it is a tale told by an idiot, full of storm and fury, and signifying... nothing.(from Macbeth, 5.5)

    "Shakespeare really kicks the cap off" -- James Hovenac