Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261356AbVALT2u (ORCPT ); Wed, 12 Jan 2005 14:28:50 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261334AbVALT0b (ORCPT ); Wed, 12 Jan 2005 14:26:31 -0500 Received: from fw.osdl.org ([65.172.181.6]:60883 "EHLO mail.osdl.org") by vger.kernel.org with ESMTP id S261320AbVALTVo (ORCPT ); Wed, 12 Jan 2005 14:21:44 -0500 Date: Wed, 12 Jan 2005 11:21:37 -0800 From: Chris Wright To: Linus Torvalds Cc: Chris Wright , akpm@osdl.org, alan@lxorguk.ukuu.org.uk, marcelo.tosatti@cyclades.com, linux-kernel@vger.kernel.org Subject: Re: thoughts on kernel security issues Message-ID: <20050112112137.Q24171@build.pdx.osdl.net> References: <20050112094807.K24171@build.pdx.osdl.net> <20050112104407.N24171@build.pdx.osdl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from torvalds@osdl.org on Wed, Jan 12, 2005 at 10:57:25AM -0800 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2043 Lines: 51 * Linus Torvalds (torvalds@osdl.org) wrote: > On Wed, 12 Jan 2005, Chris Wright wrote: > > > > Right, I know you don't like the embargo stuff. > > I'd very happy with a "private" list in the sense that people wouldn't > feel pressured to fix it that day, and I think it makes sense to have some > policy where we don't necessarily make them public immediately in order to > give people the time to discuss them. That's what I figured you meant. > But it should be very clear that no entity (neither the reporter nor any > particular vendor/developer) can require silence, or ask for anything more > than "let's find the right solution". A purely _technical_ delay, in other > words, with no politics or other issues involved. Agreed. > Otherwise it just becomes politics: you end up having security firms that > want a certain date because they want a PR blitz, and you end up having > vendors who want a certain date because they have release issues. There is value in coordinating with vendors, namely to keep them from being caught with pants down. But vendor-sec already does this part well enough. > Does that mean that vendor-sec would end up being used for some things, > where people _want_ the politics and jockeying for position? Probably. > But having a purely technical alternative would be wonderful. > > > > If that means that you can get only the list by invitation-only, that's > > > fine. > > > > Opinions on where to set it up? vger, osdl, ...? > > I don't personally think it matters. Especially if we make it very clear > that it's purely technical, and no vendor politics can enter into it. > Whatever ends up being easiest. Well, easiest for me is here ;-) thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/