Re: thoughts on kernel security issues

[Alan Cox]

On Iau, 2005-01-13 at 17:22, Marcelo Tosatti wrote:
> Well the reporters, and vendorsec, have to be aware that the 
> "kernel security list" is the main discussion point of kernel security issues.

As it should be - I'd rather Linus was fixing these bugs than some of
the other stuff that comes out. The fix quality would go up markedly.

> If the embargo period is reasonable for vendors to prepare their updates and 
> do necessary QA, there should be no need for kernel issues to be coordinated 
> (and embargoed) on vendorsec anymore. Does it make sense?

vendor-sec was never intended to be a kernel security list, it became
one by necessity. Its mostly actually talking about crap like gaim,
xpdf, gaim, gaim again. Its a contact point for any security problem
related to Linux and then normally works with the authors unless they
don't want to work with us.

> The main reason for reporters to require "permission" to spread the information
> is because they want make a PR of their discovery, yes?

Sometimes. Others like CERT have set disclosure dates across many
vendors already and aren't in the PR business so much as the "this is a
linux and windows and apple bug" business. Most of those cross platform
bugs are user space but far from all. 

> In that case they should be aware that submitting to vendorsec means submitting
> to kernel security, and that means X days of embargo period.

Then if the dates don't suit them they won't submit to vendor-sec and
we'll have to set up vendor-sec-two for them or build individual
relationships which are bound to mean the small vendors suffer. We can
push them, we can ask them to report to linux-security but we can't make
them jump. 

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/