A dedicated team might speed up responses, but it may also slow them down. For a lot of security problems you need not just someone who knows security but someone who knows the portion of the kernel involved. And here's another kicker: what happens when you report a security problem to the kernel team and they say "That code doesn't exist."? This can easily happen when, for example, RedHat's patched their kernel to include the piece of code but it hasn't made it into the main-line kernel. In that case the central team can't help you, and going through them just slows the process down. This is why, as some others have said, the first point of contact for security problems is and should be the maker of the distribution you're using, not the kernel team itself. Linux and the distributions are fundamentally a distributed effort, which colors everything and means that stuff that works in a centrally-controlled environment doesn't work the same for Linux.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/296/30444#30444