Date: Tue, 26 Feb 2013 22:42:41 +0200 From: Henri Salo <henri@...v.fi> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE request - Linux kernel: VFAT slab-based buffer overflow On Tue, Feb 26, 2013 at 01:31:59PM -0700, Kurt Seifried wrote: > I suspect part of the problem is scale. Most people don't understand > the scale at which the Linux Kernel and vendors handle bug fixes and > code changes. External people simply see a few poorly handled security > related issues and probably think "well how hard can it be to properly > a few extra security flaws?" but they don't see that those 5 security > issues were buried in 10,000 other code fixes. The resources needed to > audit every code change for a security impact simply aren't available > (and even if we had enough talented people who exactly is going to pay > them all?). Why should they be paid? I'd say problem is that there isn't lots of people who understand aspects needed to notice a security vulnerability in Linux kernel and it's even more difficult to fix it without breaking something else. Money is not the only thing getting stuff done. -- Henri Salo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.