On May 16, 2006, at 04:28, Muli Ben-Yehuda wrote:
On Tue, May 16, 2006 at 04:15:19AM -0400, Kyle Moffett wrote:
On May 15, 2006, at 22:50, Muli Ben-Yehuda wrote:
On Mon, May 15, 2006 at 11:41:07PM +0100, Alan Cox wrote:
A paper by people who can't work out how to mail linux-kernel or
vendor-sec, or follow "REPORTING-BUGS" in the source,
Zvi did contact Matt Mackall, the current /dev/random maintainer,
and was very keen on discussing the paper with him. I don't think
he got any response.
So he's demanding that one person spend time responding to his paper?
Who said anything about demanding? he wanted to discuss the paper.
He received no response (AFAIK). Please don't read more into it.
Pardon; my wording was overly harsh, but I still want to point out
that assuming an unresponsive MAINTAINERS entry indicates that the
person doesn't care is totally wrong. Given the volume of email a
lot of these people receive, it's very easy for it to go unnoticed or
be trapped by a spam filter. Publishing to the LKML is virtually
always OK; even if you have a security problem, the average
turnaround for "critical" security fixes like theoretical local root
exploits is around 24 hours or so. We went through about 8 stable
"releases" over the course of a little more than a week because of
several fairly urgent security fixes during that time.
The "maintainer" for any given piece of the kernel is the entry in
MAINTAINERS *and* [email protected] *and* the
appropriate sub-mailing-list.
For security related information, it is sometimes best not to tell
the whole world about it immediately (although you should
definitely tell the whole world about it eventually). It should've
probably been posted to lkml when mpm didn't respond, I agree. I'll
take the blame for not suggesting that to Zvi.
As I said above, even the LKML is probably ok if you think you've
found an actual explot. If you really feel nervous about exposing
it, I believe there's a [email protected] email where you can send
such information which will even tenatively agree to a coordinated
disclosure if you can prove that it's an urgent security problem.
Cheers,
Kyle Moffett
--
Premature optimization is the root of all evil in programming
-- C.A.R. Hoare
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
