, 2005-02-02
Recent events have shown that the way security in the Linux kernel is handled is broken, and it needs to be fixed right now.
Expand all |
Post comment
Linux Kernel Security is Lacking
2005-02-02
Anonymous (1 replies)
Anonymous (1 replies)
Linux Kernel Security is Lacking
2005-02-04
Anonymous (5 replies)
Anonymous (5 replies)
"The numbers" and (deliberate?) failure to undestand what linux is
2005-02-07
RedHat not Linux User. (1 replies)
RedHat not Linux User. (1 replies)
Re: The "numbers" and (deliberate?) failure to undestand what linux is
2005-02-07
Jason V. Miller (Author) (1 replies)
Jason V. Miller (Author) (1 replies)
Linux Kernel Security is Lacking
2005-02-03
Todd Knarr (1 replies)
Todd Knarr (1 replies)
Linux Kernel Security is Lacking
2005-02-04
Jason V. Miller (Author) (1 replies)
Jason V. Miller (Author) (1 replies)
Linux Kernel Security is Lacking
2005-02-05
Todd Knarr (1 replies)
Todd Knarr (1 replies)
Linux Kernel Security is Lacking
2005-02-09
Joe Borsits (1 replies)
Joe Borsits (1 replies)
Linux Kernel Security is Lacking
2005-02-03
Anonymous (1 replies)
Anonymous (1 replies)
I eagerly await...
2005-02-03
Anonymous (5 replies)
Anonymous (5 replies)
flamer ! is not having an hidden mailing = we do'n't care about security
2005-02-04
Alban Browaeys (1 replies)
Alban Browaeys (1 replies)
flamer ! is not having an hidden mailing = we do'n't care about security
2005-02-04
Jason V. Miller (Author)
Jason V. Miller (Author)
Firstly, I don't think that the LKML is an appropriate forum to discuss security vulnerabilities.
Secondly, as per my previous response, the MAINTAINERS file is hardly exhaustive. Additionally, I do not think that each individual contributor / maintainer should be responsible for handling official correspondence with security researchers, and all the other responsibilities that would otherwise be handled by a dedicated security team.
?How many e-mails a day does Linus get, I wonder??
Probably a lot. However, three *weeks* without so much as a response? This clearly illustrates a problem with the way things are currently handled.
?one could surmise that Spengler had more of a need for publicity and less of a need to actually report a vulnerability through the existing channels.?
I think his comments, although harsh, were warranted. Looking through some Linux kernel-related mailing lists, at least things are being done about these problems now. If there wasn't a problem in the first place, then these discussions wouldn't be going on.
?Second comment is that this article has a terribly misleading title. The real focus of the article is the lack of a central Linux kernel security contact, so how exactly does this end up getting translated to "Linux Kernel Security is Lacking?"?
I only have so much space in one of these articles to talk about the issues at hand, and perhaps I didn't put as much focus on code quality / the general approach to security as I would have liked. Perhaps I'll leave that for another article, however, regardless of weather or not all of my concerns were discussed well enough in the article, I do personally believe that the Linux kernel development team needs to do something about the way they treat security.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/296/30363#30363