Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [Dailydave] Linux's unofficial security-through-coverup policy
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 17 Jul 2008 09:58:03 -0500

--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad <elazar () hushmail com> 

I could understand why Linus is against classifying a commit
comment in his branch or in a any unstable branch for that
matter...then again, the repositories are open, and anyone with
half a brain might be able to discern what has security
ramifications or not.

Apparently this isn't as true as you'd like to think.  If it were, the folks 
who write the code would have caught it to begin with.  After all, anyone who 
can write kernel code that works has *at least* half a brain, wouldn't you say?

The truth is, there is a very small pool of people smart enough, educated 
enough and familiar with the code in question enough to actually spot security 
problems in the code.  Those folks are worth their weight in gold, but in many 
cases they do it for the pure pleasure of finding the bugs.  They also only 
focus on those things that interest them, so the number of people actually 
looking for security issues in the LInux kernel code is infinitesimally small 
compared to the number of people who use the compiled product.

Claiming that "anyone with half a brain" can spot security problems in code 
belittles both those who actually can and all those who cannot but want to be 
informed about them so they can protect themselves.

Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]