Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Feb 2013 22:42:41 +0200
From: Henri Salo <henri@...v.fi>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request - Linux kernel: VFAT slab-based
 buffer overflow

On Tue, Feb 26, 2013 at 01:31:59PM -0700, Kurt Seifried wrote:
> I suspect part of the problem is scale. Most people don't understand
> the scale at which the Linux Kernel and vendors handle bug fixes and
> code changes. External people simply see a few poorly handled security
> related issues and probably think "well how hard can it be to properly
> a few extra security flaws?" but they don't see that those 5 security
> issues were buried in 10,000 other code fixes. The resources needed to
> audit every code change for a security impact simply aren't available
> (and even if we had enough talented people who exactly is going to pay
> them all?).

Why should they be paid? I'd say problem is that there isn't lots of people who
understand aspects needed to notice a security vulnerability in Linux kernel
and it's even more difficult to fix it without breaking something else.

Money is not the only thing getting stuff done.

--
Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.