Re: AW: [suse-security] [Flame] A Disservice to the Linux Community
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/ I think so, too. The particular bug, that has been found is not really severe, as far as I understood it (you have to guess a 24bit syncookie). I don't think that there was anything that spoke against full disclosure. What SuSE did was _maybe_ good from commercial side, but absolutely not from free and open source side. This makes me a bit sad :(
I'm sad, too. Some bug gets known by person X at a time A. X reports the bug to person Y, a kernel developer, at time B. Y has a fix at time C and communicates it to the distributors of the software. At time C, often in coordination with X and Y, the bug propagates through the security channels, along with the fix. If you cannot live with the fact that the time differences between A, B and C are non-zero, then you should begin programming your own operating system. And, more important, you should better not disclose the sources to anybody, because they might report some security bug. This is how it works, and it has proven to be successful over the last 6 years. So where is the problem?
Markus
Roman.
--
- -
| Roman Drahtmüller
Some bug gets known by person X at a time A. X reports the bug to person Y, a kernel developer, at time B. Y has a fix at time C and communicates it to the distributors of the software. At time C, often in coordination with X and Y, the bug propagates through the security channels, along with the fix. My "problem" is, that the fix was available, but non-public. I think, usually, when a problem is discovered, the responsible maintainer is asked to fix it, and then the bug (+ fix) goes public. If a distribution vendor, who discovers the bug, takes some extra time to fix it for the distribution (coordinated with other vendors, or not), then people who build their own kernels have to wait, too.
If someone, who doesn't work for a distributor, had found the bug, it would have gone public earlier. I think this is the real problem, people had with this particular thing. In this case, I'm sure you took all precautions, so no one except the one who found and the one who fixed it knew about it (GPG, ...). This is ok. Anyway, I know, that it isn't so easy. People want commercial support and free information. And blame some one else ;) Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
participants (2)
-
Markus Gaugusch
-
Roman Drahtmueller