Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy
From: "Elazar Broad" <elazar () hushmail com>
Date: Thu, 17 Jul 2008 11:32:20 -0400

Sorry if I was not clear enough, I meant in the commit comments. I 
agree, you need about a brain and a half to spot kernel bugs in the 
code itself...

On Thu, 17 Jul 2008 10:58:03 -0400 Paul Schmehl 
<pschmehl_lists () tx rr com> wrote:
--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad 
<elazar () hushmail com> 
wrote:

I could understand why Linus is against classifying a commit
comment in his branch or in a any unstable branch for that
matter...then again, the repositories are open, and anyone with
half a brain might be able to discern what has security
ramifications or not.

Apparently this isn't as true as you'd like to think.  If it were, 
the folks 
who write the code would have caught it to begin with.  After all, 
anyone who 
can write kernel code that works has *at least* half a brain, 
wouldn't you say?

The truth is, there is a very small pool of people smart enough, 
educated 
enough and familiar with the code in question enough to actually 
spot security 
problems in the code.  Those folks are worth their weight in gold, 
but in many 
cases they do it for the pure pleasure of finding the bugs.  They 
also only 
focus on those things that interest them, so the number of people 
actually 
looking for security issues in the LInux kernel code is 
infinitesimally small 
compared to the number of people who use the compiled product.

Claiming that "anyone with half a brain" can spot security 
problems in code 
belittles both those who actually can and all those who cannot but 
want to be 
informed about them so they can protect themselves.

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Click to become a master chef, own a restaurant and make millions.
http://tagline.hushmail.com/fc/Ioyw6h4eAFcOJbfoL5Wwa5NEmtU7vhJkF49lH3FbZ1YKdjbrwlfVgs/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]