mailing list archives
Re: [Dailydave] Linux's unofficial security-through-coverup policy
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 17 Jul 2008 09:58:03 -0500
--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad <elazar () hushmail com>
I could understand why Linus is against classifying a commit
comment in his branch or in a any unstable branch for that
matter...then again, the repositories are open, and anyone with
half a brain might be able to discern what has security
ramifications or not.
Apparently this isn't as true as you'd like to think. If it were, the folks
who write the code would have caught it to begin with. After all, anyone who
can write kernel code that works has *at least* half a brain, wouldn't you say?
The truth is, there is a very small pool of people smart enough, educated
enough and familiar with the code in question enough to actually spot security
problems in the code. Those folks are worth their weight in gold, but in many
cases they do it for the pure pleasure of finding the bugs. They also only
focus on those things that interest them, so the number of people actually
looking for security issues in the LInux kernel code is infinitesimally small
compared to the number of people who use the compiled product.
Claiming that "anyone with half a brain" can spot security problems in code
belittles both those who actually can and all those who cannot but want to be
informed about them so they can protect themselves.
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/