digg

Join DiggAbout

Digg Townhall now online!
Check out the latest Digg Townhall, where Kevin and Jay answered the top questions from the Digg Community!

Kernel space: Full disclosure for security holes

linuxworld.com — Even the most casual observer of the linux-kernel mailing must have noticed that, in the shadow of the firmware flame war, there is also a heated discussion over the management of security issues. There have also been some attempts to turn this local battle into a multi-list, regional conflict. Finding the right way to deal with security problems i

show profanity settings
expand all
  • hsinray, on 07/23/2008, -32/+2Hi you are my friend and I digg your story. Can you digg mine too? It is an interesting story on using the iphone3G to make yourself popular. Also Please add me as friend. http://digg.com/gadgets/9_Ways_iPhone_3G_can_make_ ...
    • ngb5012, on 07/24/2008, -0/+2would you trade a dugg story for the most burried comment of all time?
  • coreyb, on 07/23/2008, -2/+14Yes, everyone who works on the project is a superstar, but when it comes down to it, I have a live OS running the kernel that has holes. This is not a university project anymore and people can't play high school games. I need to know what the threat level on a security hole (known and unknown) is so that I can guard against them and I need to know what bugs exist so that I can plan responses to them.
    • DeathfireD, on 07/24/2008, -1/+7The security holes are listed as bugs and not as security holes. Just read the change log every time a new kernel comes out and figure out if any of the "bugs" may affect your computer or network. Linus just doesn't allow fully details about what the bug is or how to reproduce said bugs. If you're that paranoid then you should just update the kernel every time Linus says something like "any users of the x.x.xx kernel series are STRONGLY encouraged to upgrade to this release". I think this is way better then Window's patch system of not getting updated for months even though everyone and his brother knows about the security hole.
  • over9k, on 07/24/2008, -11/+5lol @ infighting. no wonder it's always the year of the Linux desktop.
    • nmnnotmyname, on 07/24/2008, -0/+2...lol @ you...

      Linux devs are trying to actually solve important problems and people are worried about everyone and their grandma's being able to use Linux? I think the reason people always say it's the year of the Linux desktop because it always has potential to be, but it never is because not enough devs care about it being that. They care about Linux actually being a good OS. Focusing on grabbing as many people as we can would be an MS move.

      Of course, Distro devs are responsible for making Linux a Desktop OS more than anyone, but they are also working on more important issues than simplicity, like well built audio infrastructures and flexibility. And compiz fusion, because it's cool.
  • tajitj, on 07/24/2008, -16/+1http://digg.com/2008_us_elections/August_5th_AXE_t ...
  • angryfirelord, on 07/24/2008, -4/+9rotl, I wonder if Linus regrets his monkey comment now. It seems the Linux community needs to learn a little thing called MANAGEMENT! The BSDs use it by planning out every feature of what will go into the kernel rather than impulsively flinging some half-finished or broken driver into the kernel. Because of this, Linux still has some community issues to work out because there is no planned system. The BSDs have used this technique and it makes their OSs rock solid for anything. Even for your toaster.
    • rolosworld, on 07/24/2008, -3/+2did you even read the article or you just mentally masturbated?
      • angryfirelord, on 07/24/2008, -1/+3Yes, I read it and when you get to college, you'll understand that the only way to get things done is to have a coordinated team. That's why FreeBSD wipes the floor with Linux in performance and why OpenBSD wipes Linux in security.

        But wait, what's this? I don't even need to run OpenBSD to get its tools! OpenBSD was kind enough to allow pf to be ported to FreeBSD. NetBSD helps out by helping port over the other BSDs to other CPU architectures. FreeBSD helps out by helping maintain ports for the other BSDs. It's a nicely organized system that not only cooperates, but gets things done. With Linux, all I hear is "this distro sux, use this one" or "you use winblows? haha I AM HAXXORs compared to you!" As you can see with this article, not even the fricking linux kernel developers can get along and that's why security bugs have to be downgraded to the status of regular bugs because those regular bugs should have been worked out in the planning stage. You linux users can preach to me the Word of Stallman & Torvalds all you want, how great the GPL is and that world hunger will end if I use linux, but the truth of the matter is this project is seriously uncoordinated. If this mess took place in a business setting, all those guys would be fired in an instant.

        Now, I'm not saying that all linux developers are off their rocker. I'm sure there are good ones who just want to help improve on it. But if Linux wants to survive, then Linus and his head developers need to remove their heads from their arses and start planning ahead. They need to make sure the code is written properly by having it checked extensively the first time, not when it breaks and pisses off a million users. After all, Linux has Red Hat, IBM, Sun, etc., so if the BSDs can do it and do it well, why not Linux?
      • nmnnotmyname, on 07/24/2008, -1/+1Linus seems to think that evolution will take place naturally... I think that's a little long winded...
      • rolosworld, on 07/25/2008, -0/+1angryfirelord, still in your reply you don't sound logical.. in what way your comments are relevant with even the topic! what would make Linus regret his monkey comment? your out of topic here! This article is talking about Linus not explaining the flaws in the changelog (thus the title). Now, in what way this makes Linus regret his comment??? this is stuff that they keep talking even before he made the comment!!

        "... security bugs have to be downgraded to the status of regular bugs because those regular bugs should have been worked out in the planning stage."
        hmnn let me see, Linus classifies security bugs as bugs, and this is wrong with you? you say programmers fix their bugs in planning stage?

        "If this mess took place in a business setting, all those guys would be fired in an instant."
        what mess????

        If your talking about the "planning" stuff before hand.. what planning your talking about? parts of the kernel? the whole thing? features that other programmers work on? you say MS would have fired their programmers if linux was theirs?

        your a really hard person to follow, too much fan boy nonsense.
    • ThunderIT, on 07/24/2008, -2/+4BSDs use engineering, instead of hackery, and this is why they will always be years ahead of linux. FreeBSD 7.0 has more than a 20% performance lead over the latest linux kernels, due to their extremely organized and focused SMP development.

      I won't even start the argument about how the BSD license is better. I'll just say, no one is ever confused as to what is allowed, and what is not, under the simplified BSD license. You can't get down to much less than two sentences.
      • elipabst, on 07/24/2008, -2/+3Umm, no....

        Read the "update":
        http://bsd.slashdot.org/article.pl?sid=08/03/06/13 ...

        FWIW, these comparisons basically go back and forth between FreeBSD and Linux as new releases come out, so it's usually a bad idea to start showing everyone how big your E-wang is because inevitably you'll be eating crow in a few months.
  • r3negadeX, on 08/11/2008, -4/+8I've come to respect Linus on a lot of things, but he's really talking out of his ass with this one. Regular bugs don't result in databases being destroyed or personal information falling into the wrong hands. Security holes are way more important than regular bugs.
    • dougmc, on 07/24/2008, -1/+5> Regular bugs don't result in databases being destroyed

      They won't?

      > Security holes are way more important than regular bugs.

      Says you. I say that a bug that may trash my filesystem under certain conditions is more serious than a bug that permits a local user to gain root access.

      Security bugs are serious, yes, but `Normal bugs' are serious too. Making the most minor security bug get special treatment over the most serious `normal' bug is ... wrong.
    • thefinger, on 07/24/2008, -0/+3"Security holes are way more important than regular bugs."

      Tell that to an end user.
    • nmnnotmyname, on 07/24/2008, -1/+1Code wise it's still the same as any other bug.
  • arcticblue, on 07/24/2008, -5/+2What's with all the people begging for diggs here?
  • anshuman, on 07/24/2008, -6/+1digg me down.
  • courtjester555, on 07/24/2008, -6/+1As a desktop user, I've found Linux to be quite secure. The numbers game alone protects it from many attacks; threats will target Windows computers simply because there are so many more of them.

    Then again, Linux is probably more secure than Windows anyway (especially sans antivirus program).
  • thefinger, on 07/24/2008, -4/+1It doesn't help when the founder of Linux is himself a hothead and a juvenile.
  • m6ack, on 07/24/2008, -0/+3I read the discussion on LKML. The security guys took completely the wrong tack on the list. Trying to beat people into submission with the "it's your responsibility" stick is no way to talk to people that don't work for you.

    My take is that Linus is not a security auditor. To Kernel hackers, every bug is a potential security issue & if people are in a stable release, they need to be on the latest stable release -- unless they _really_ know what they are doing. The people that are security auditors and that care about tracking their CVE numbers -- they are the ones that are going to have to spend the time to develop the system to map patches to CVE's and develop a system to drop patches in a vendor tree that they don't feel are worthy.

    It's also not Linus responsibility to pay one whit of attention to their documentation requirements. If the security guys want CVE's in the commit logs, they are free to branch/mirror Linus Git tree and add the CVE's to log entries, and/or fix the bugs themselves -- that, or they could just fork the stable Kernel(s).

    Now, that by the way is exactly what the vendors do and their kernel hackers are paid to do. They maintain their own patch sets and triage any patches that go into their distro's stable Kernel. Any Documentation and testing that needs to be done on a particular defect, they do the paperwork for their kernel.
  • bipolarruledout, on 07/24/2008, -2/+3Raise your hand if you even know what a kernel is. Is slashdot having a link exchange program now?
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.