Return-Path: <linux-kernel-owner+willy=40w.ods.org-S262099AbVAOBv7@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S262099AbVAOBv7 (ORCPT <rfc822;willy@w.ods.org>);
	Fri, 14 Jan 2005 20:51:59 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262136AbVAOBt3
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Fri, 14 Jan 2005 20:49:29 -0500
Received: from [81.2.110.250] ([81.2.110.250]:59625 "EHLO
	localhost.localdomain") by vger.kernel.org with ESMTP
	id S262099AbVAOBqC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 14 Jan 2005 20:46:02 -0500
Subject: Re: thoughts on kernel security issues
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Linus Torvalds <torvalds@osdl.org>
Cc: "Theodore Ts'o" <tytso@mit.edu>, Dave Jones <davej@redhat.com>,
       Marek Habersack <grendel@caudium.net>,
       Marcelo Tosatti <marcelo.tosatti@cyclades.com>,
       Greg KH <greg@kroah.com>, Chris Wright <chrisw@osdl.org>, akpm@osdl.org,
       Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
In-Reply-To: <Pine.LNX.4.58.0501141444360.2310@ppc970.osdl.org>
References: <Pine.LNX.4.58.0501121148240.2310@ppc970.osdl.org>
	 <20050112174203.GA691@logos.cnet>
	 <1105627541.4624.24.camel@localhost.localdomain>
	 <20050113194246.GC24970@beowulf.thanes.org>
	 <20050113200308.GC3555@redhat.com>
	 <Pine.LNX.4.58.0501131206340.2310@ppc970.osdl.org>
	 <1105644461.4644.102.camel@localhost.localdomain>
	 <Pine.LNX.4.58.0501131255590.2310@ppc970.osdl.org>
	 <20050114183415.GA17481@thunk.org>
	 <Pine.LNX.4.58.0501141047470.2310@ppc970.osdl.org>
	 <20050114221343.GA18140@thunk.org>
	 <Pine.LNX.4.58.0501141444360.2310@ppc970.osdl.org>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-Id: <1105748623.9838.95.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) 
Date: Sat, 15 Jan 2005 00:34:14 +0000
Sender: linux-kernel-owner@vger.kernel.org
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1864
Lines: 41

On Gwe, 2005-01-14 at 22:51, Linus Torvalds wrote:
> Sure, you can do that, and if you do that, then the world recognizes you 
> for what you are - nothing but a publicity-seeking creep.

And what does that make writing your own operating system ? Some of the
security folks are publicity seekers, others see it as an investment
against getting a job by becoming known. Quite a few we deal with a
large professional organisations who don't need publicity and actually
the more interesting bodies often don't *want* publicity just to ensure
that all their vendors have fixes before things go public and that their
government infrastructure and nation state will be best served. 

> THAT is why vendor-sec is bad. It allows publicity-seeking creeps to take 
> on the mantle of being "good".

They don't agree with you, nor do the economists I'm afraid.

> I'm arguing for exposing them for what they are. If that hurts some 
> feelings, tough ;)

Its ok I'm sure they think you are an arrogant clueless jerk 8)

> It's not a one- or two-week delay. Once the vendor-sec mentality takes 
> effect, the delay inevitably grows. You _always_ have excuses for 
> delaying, and as shown by this thread, a _lot_ of people believe them.

The "vendor-sec" mentality - from someone who has never been involved in
it. Ah yes Linus you might want to consider writing articles for a local
newspaper you appear to have the right qualifications for it 8)

vendor-sec has a lot of people on it who don't like long non-disclosure
periods and get quite annoyed when they happen out of our control (eg
CERT originated notifications). 

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/