Re: Kernel 2.6.11

To: debian-user@lists.debian.org
Subject: Re: Kernel 2.6.11
From: Seeker5528 <seeker5528@comcast.net>
Date: Sun, 6 Mar 2005 18:33:42 -0800
Message-id: <[🔎] 20050306183342.13eed0ab@localhost>
In-reply-to: <[🔎] 422B2BBD.4000106@ecs.fullerton.edu>
References: <[🔎] 8F544985CD5FE24897B348C9883206022AFF23@chiex01.int.tt.local> <[🔎] 87650a9flt.fsf@toncho.dhh.gt.org> <[🔎] Pine.LNX.4.61.0503021314250.30424@mimosa.opentrend.net> <[🔎] 42261E6C.7080802@egaumer.com> <[🔎] Pine.LNX.4.61.0503021535030.30424@mimosa.opentrend.net> <[🔎] 20050306020452.66d7fc31@localhost> <[🔎] 422B2BBD.4000106@ecs.fullerton.edu>

On Sun, 06 Mar 2005 08:11:41 -0800
Eric Gaumer <gaumerel@ecs.fullerton.edu> wrote:

> Seeker5528 wrote:
> > On Wed, 2 Mar 2005 15:43:24 -0500 (EST)
> > Robert Brockway <rbrockway@opentrend.net> wrote:
> >
> >
> >>Well since you don't believe me on this (or other :) issues, read
> >>Alan's words:
> >>
> >>http://lkml.org/lkml/2005/1/13/236
> >
> >
> > What was said elsewhere:
> >
> > http://news.zdnet.co.uk/software/linuxunix/0,39020390,39189593,00.htm
> >
> > was:
> >
> > "Cox said that Torvalds does not always let people know when he has
> > fixed a security bug in the kernel. This can be a problem as the patch
> > will take a while to make it to production, which means that hackers can
> > exploit the vulnerability before it is made available to individuals and
> > enterprises running Linux.
> >
> > "Linus has this bad habit of fixing security holes quietly," said Cox.
> > "This is a bad idea as some people read all the kernel patches to find
> > the security holes.""
> >
> 
> Same guy saying the same thing. Big deal. This actually contradicts his first argument that
> Linus releases code with known security holes. Now Alan is saying Linus fixes security holes
> and doesn't tell anyone. So which is it?

It's not the same thing and I see no contradiction.

It should be no secret to anyone who has followed a few kernel.org
releases that as new releases come out one thing gets fixed and another
thing gets broken. It seems to be a fairly common.

Looking at the one lkml posting by it's self does not really say a whole
lot to me, it needs more context. It doesn't say anything about the
general security of the kernel.org releases that changes how I feel
about downloading the sources and compiling my own kernel.

Even without taking security into account many people would be better
served getting kernel sources supplied by their distrobution vendor.

The article I quoted from is all about process and says nothing about
kernels being released with known security issues, or not.

It is a simple statement that if Linus applies a security patch in his
tree and does not make it known, someone following along could recognize
it and use that information to attack vendor kernels before the vendors
have a chance to provide a patched kernel.

I thought it was an interesting contrast to the lkml post and I don't
see it as something the should necessarily be viewed as a big issue,
just something that is.

Later, Seeker

Reply to:

References:
- Kernel 2.6.11
  - From: "Rob Brenart (TT)" <Rob.Brenart@tradingtechnologies.com>
- Re: Kernel 2.6.11
  - From: John Hasler <jhasler@debian.org>
- Re: Kernel 2.6.11
  - From: Robert Brockway <rbrockway@opentrend.net>
- Re: Kernel 2.6.11
  - From: Eric Gaumer <gaumer@egaumer.com>
- Re: Kernel 2.6.11
  - From: Robert Brockway <rbrockway@opentrend.net>
- Re: Kernel 2.6.11
  - From: Seeker5528 <seeker5528@comcast.net>
- Re: Kernel 2.6.11
  - From: Eric Gaumer <gaumerel@ecs.fullerton.edu>

Prev by Date: Re: where is the FQDN located
Next by Date: Re: where is the FQDN located
Previous by thread: Re: Kernel 2.6.11
Next by thread: php / mysql / phpmyadmin
Index(es):
- Date
- Thread