[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nomination question: Redhat

Joseph Carter <knghtbrd@debian.org> writes:

> > You fail, once again, to even vaguely grasp the point.  Auditing is a
> > _good_ thing, whether it's done by one ``kernel hacker'' or a team of
> > people (OpenBSD).  We don't do it; Redhat does.  And, BTW,m dismissing
> > Alan Cox as nothing more than ``a kernel hacker'' is the most crass
> > thing I've ever seen you do.
> I'm not about to bow down and worship Alan Cox, Linus Torvalds, Eric
> Raymond, Richard Stallman, Bruce Perens, the Pope, you, my neighbors, or
> anyone else for that matter.  The way your argument looks to me is "they
> have Alan Cox and we don't so they must have a better security tean."  So
> they have Alan Cox working for them, I don't consider this a big deal.

Well, I read James' statement as "They have Alan Cox performing
security audits.  Debian has no formalized security audits by skilled
coders or otherwise.  The fact that it is Alan Cox doing the auditing
is unimportant, in comparison to the fact that we have no auditing
procedure, formal or otherwise."

I do not think that anyone is asking you to bow down to someone, but
only not to belittle them and ignore a large portion of their
expertise outside of the work which has made them a public figure.

> As for Alan being more than a kernel hacker, what more is he?  What makes
> him so special that the distribution that hired him is so much better
> than everyone else?  He can code?  A lot of people can code.

Nothing, but he has done bit more than just kernel code, and is
therefor more than "a kernel hacker".  Some people revere him, gosh I
even know some people I respect who read his public diary entriesin
admiration, and others I respect trash him as being mostly incompetent
and incapable of writing secure code.

At the same time, as a security administrator, your trust of the code
review is directly related to your trust of both the review process,
and the person's performing the review.  In this case, the reputation
and proven competence, thus trustworthiness, of the reviewer is
certainly important.  This is why OpenBSD has so much respect in the
security community, becuase there has been both a full review, and it
was performed by very trustworthy and competent persons, they are

Perhaps we should move on, and try and start an effort to produce a
formalized auditing procedure for security sensitive Debian packages.
Someone posting to this thread has already made some comments to this
effect, so I suggest we all respond to them, and not continue this
little tit-a-tat.

Reply to: