Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse-security (670 mails)

< Previous Next >
Re: [suse-security] [Flame] A Disservice to the Linux Community
  • From: Ray Dillinger <bear@xxxxxxxxx>
  • Date: Sat, 3 Nov 2001 09:03:25 -0800 (PST)
  • Message-id: <Pine.LNX.4.40.0111030853200.15165-100000@xxxxxxxxxxxxxxxxx>


On Sat, 3 Nov 2001, Peter Nixon wrote:

>On Sat, 03 Nov 2001 21:23:55 +0900
>Keith Hopkins <hne@xxxxxxxxxxx> wrote:
>
>> Greetings to those at linuxsecurity.com,
>>
>> In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read....
>> <<QUOTE>>
>> The information about this problem was withheld from the public
>> in coordination with other Linux vendors/distributors in order to
>> give the distributors enough time to update their kernel packages.
>> We find that this coordination is beneficial for the community,
>> while we regret that the bug could not be fixed in time before the
>> other distributor's kernel updates.
>> <<ENDQUOTE>>
>>
>> How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems.


><flame>
>You sir are an idiot.
>
>What we are talking about here is a pretty major bug in the Linux kernel.
>Linux is now a mainstream product that is used comercially in many major organisations.
>SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date.

<snip ad hominem attack>

>Feel free to speak again when you have something productive to offer
></flame>


He did offer something productive. You flamed him for it. Linux
security is NOT based on ""commercial manufacturers" -- Microsoft's
security is. Linux is not secure because bugs are hidden, ever. It
is secure because when bugs become publicly known, there are hundreds
of times more people who want to fix them than there are who want to
develop exploits.

While I agree that the choice of whether and how to reveal a bug is
up to the person or people discovering it, every day it went unfixed
because of you withholding information was another opportunity for
a crack to be developed. When you held it back, maybe a few dozen
people were working on it. Had you released it, a few hundred would
have tried to exploit it -- which overwhelms the puny effort that
distribution builders or any commercial providers can make -- but a
few *thousand* would have tried to fix it first, which overwhelms the
efforts of the crackers.

Linux security is because of the community, not the distribution
packagers. That is why it is better than commercial products, and
only as long as it continues that way will it remain better than
commercial products.

Bear




< Previous Next >
References