On May 25, 2005, at 09:15:33, Joerg Schilling wrote:
If Linux believes that there should be enhanced security similar to
Solaris and
if Linux is a true open Source business, then I would expect that
there is
cooperation. If I change things in e.g. mkisofs or cdrecord that
could result
in problems for my "users", I send a notification mail to the
XCDRoast & k3b
authors early enough.
There was a security hole in the CD burner support. The Linux Kernel
developers
fixed it quickly. They were not planning to wait 6 months for you to
get an
updated version of cdrecord out the door in any case. If you want more
information on the Linux Kernel security policy, please see a recent
copy of the
linux kernel for the file Documentation/SecurityBugs. To quote the
relevant
part: "It is reasonable to delay disclosure ... or for vendor
coordination.
However we expect these delays to be short, measurable in days, not
weeks or
months." Part of this policy includes "we'd like to know when a
security bug is
found so that it can be fixed and disclosed as quickly as possible."
This seems
to imply that the security team is not likely to wait 6 months to fix
a critical
hardware-damaging vulnerability.
If the cause for the change really was the "security problem"
caused by the
fact that Linux did allow to send SCSI commands on R/O file
descriptors it
would have been sufficient to require R/W permissions on the fd.
After this
putative small change, the supposed problem would have been fixed
and cdrtools
as well as other users of the interface did work as before.
I will not debate this issue with you. Please see the copious
quantities of
emails when this issue was brought up a while ago.
Cheers,
Kyle Moffett
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$
r !y?(-)
------END GEEK CODE BLOCK------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
