Re: thoughts on kernel security issues

From: Linus Torvalds
Date: Thu Jan 13 2005 - 14:58:27 EST

Next message: Andi Kleen: "Re: [PATCH] Fix a bug in timer_suspend() on x86_64"
Previous message: Andi Kleen: "Re: NUMA or not on dual Opteron"
In reply to: John Richard Moser: "Re: thoughts on kernel security issues"
Next in thread: John Richard Moser: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 13 Jan 2005, John Richard Moser wrote:
>
> > So all security issues are about balancing cost vs gain. I'm convinced
> > that the gain from openness is higher than the cost. Others will disagree.
>
> Yes. Nobody code audits your binaries. You need source code to do
> source code auditing. :)

Oh, it's very clear that some exploits have definitely been written by
looking at the source code with automated tools or by instrumenting
things, and that the exploits would likely have never been found without
source code. That's fine. We just have higher requirements in the open
source community.

And I do think that the same is true for being open about security
advisories: I think that to offset an open security list, we'd have to
then have more "best practices" than a vendor-sec-type closed security
list might need. I think it would be worth it.

Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [PATCH] Fix a bug in timer_suspend() on x86_64"
Previous message: Andi Kleen: "Re: NUMA or not on dual Opteron"
In reply to: John Richard Moser: "Re: thoughts on kernel security issues"
Next in thread: John Richard Moser: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]