Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 04 Mar 2013 22:12:56 +0100
From: Eric Lacombe <goretux@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow)

Hi,

Le lundi 4 mars 2013 11:48:58, Greg KH a écrit :
> On Sun, Mar 03, 2013 at 10:39:30PM -0500, Michael Gilbert wrote:
> > I was getting encouraged by the recent anger-centric posts, the "what
> > is it that we're supposed to do better?" ones. That gave me some
> > encouragement that there was the possibility of positive change, but
> > the "we're not going to make users more unsafe by telling them about
> > issues affecting them" is a persistence of the denial state.  That
> > logic completely violates the known idiom that knowledge is power:
> > give users the knowledge that they need to protect themselves, and
> > they will; starve them of that knowledge, and they remain vulnerable.
> 
> That's a load of crap.
> 
> Seriously, you know it only benefits the "bad guys" if I were to say,
> "This patch just went into Linus's tree that fixes a security problem
> that you can exploit in this manner".  No user would have a chance to
> fix their systems before the vulnerability was added to the
> "ultra-sploit" tool and everyone would have their systems trashed.

I think there's a difference between disclosing the vulnerability and 
disclosing it with a related exploit. The first one allows to fulfill what 
Michael Gilbert explains without the consequences that you focus on.

And as Michael Gilbert insisted on, I deeply think that the asymmetry of the 
problem should be taken into account for defining the way of dealing with 
security flaws.

Best regards,

	Eric Lacombe

> 
> If you so strongly believe this, why is there a linux-distros list in
> the first place?
> 
> Come on, be realistic people.
> 
> greg k-h

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ