http://www.kerneltrap.org/taxonomy/term/405/0 en-local http://www.kerneltrap.org/Linux/Security_Bugs_and_Full_Disclosure <div class="taxonomy-images"><a href="/news/linux" class="taxonomy-image-links"><img src="http://kerneltrap.org/files/category_pictures/K-Linux.gif" alt="Linux news" title="Linux news" width="75" height="75" /></a></div><!-- google_ad_section_start --><p>In an <a href="http://kerneltrap.org/mailarchive/linux-kernel/2008/7/3/2332494">announcement for the 2.6.25.10 stable kernel</a>, Greg KH noted, "<i>it contains a number of assorted bugfixes all over the tree. And once again, any users of the 2.6.25 kernel series are STRONGLY encouraged to upgrade to this release.</i>" The emphasis on the word <em>strongly</em> led to a lengthy discussion about how security fixes are handled in the Linux Kernel. Linus Torvalds <a href="http://kerneltrap.org/mailarchive/linux-kernel/2008/7/15/2497674">replied</a>, "<i>I personally consider security bugs to be just 'normal bugs'. I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.</i>" Later in the thread he went on to explain, "<i>one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior. It makes 'heroes' out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are _way_ more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking.</i>"</p> <p>Theodore T'so <a href="http://kerneltrap.org/mailarchive/linux-kernel/2008/7/15/2508024">pointed out</a> that other developers had different beliefs about disclosure than Linus and referred to mailing lists such as the private security@ list described in the <a href="http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/SecurityBugs;h=26c3b3635d9fa1b017f2b23e35c342fb92e76977;hb=HEAD">SecurityBugs documentation</a>, originally <a href="http://kerneltrap.org/node/4540">created in early 2005</a>. He then described Linus' stance, "<i>if Linus finds out about a security bug, he will fix it and check it into the public git repository right away. But he's very honest in telling you that is what he will do --- so you can choose whether or not to include him in any disclosures that you might choose to make.</i>" Regarding whether Full Disclosure is the best policy, Ted highlighted the fact that the debate has been going on for several decades, "<i>it is clear that we're not going settle this debate now, and certainly not on the Linux Kernel Mailing List.</i>" Later in the discussion, Linus offered a succinct summary of his viewpoint, "<i>my responsibility is to do a good job. And not pander to the people who want to turn security into a media circus.</i>"</p> <!-- google_ad_section_end --><p><a href="http://www.kerneltrap.org/Linux/Security_Bugs_and_Full_Disclosure" target="_blank">read more</a></p> http://www.kerneltrap.org/Linux/Security_Bugs_and_Full_Disclosure#comments 2.6.25 bugs Greg KH Linus Torvalds Linux security Theodore T'so Linux news Wed, 16 Jul 2008 12:57:33 +0000 Jeremy 16395 at http://www.kerneltrap.org http://www.kerneltrap.org/node/8066 <div class="taxonomy-images"><a href="/news/linux" class="taxonomy-image-links"><img src="http://kerneltrap.org/files/category_pictures/K-Linux.gif" alt="Linux news" title="Linux news" width="75" height="75" /></a></div><!-- google_ad_section_start --><p>A recent discussion on the <a href="http://www.tux.org/lkml/">lkml</a> examined the possibility of a Linux implementation of Sun's <a href="http://en.wikipedia.org/wiki/Zettabyte_File_System">ZFS</a>. It was pointed out that the file system is released under the <a href="http://www.gnu.org/philosophy/license-list.html#CDDL">GPL-incompatible</a> <a href="http://www.sun.com/cddl/">CDDL</a>, and that Sun has filed numerous patents to prevent ZFS from being reverse engineered. Max Yudin pointed out, "<i>according to <a href="http://blogs.sun.com/bonwick/entry/zfs_the_last_word_in">Jeff Bonwick's blog</a> Sun issued 56 patents on ZFS, but I have no idea what they patented. Sorry, binary compatible ZFS reimplementation with GPL license might not be legal.</i>" David Litwin noted that he had been told by a ZFS developer to talk to Linux developers to see about getting non-GPL'd code included with the kernel. Theodore T'so replied, "<i>that was totally useless answer from the ZFS developers. What he should have told you is to contact Sun management, since they are the only ones who can decide whether or not to release ZFS under a GPL license, and more importantly, to give a patent license for any patents they may have filed in the course of developing ZFS.</i>"</p> <p>Alan Cox [<a href="http://kerneltrap.org/node/view/9">interview</a>] suggested, "<i>the real test of whether Sun were serious about ZFS being anywhere but Solaris is what they do to license it - they've patented everything they can, and made the code available only under licenses incompatible with other OS products. Their intent is quite clear, and quite sad. Compare it to what the old Sun company did with NFS, which is now a standard used everywhere.</i>" Theodore T'so added, "<i>given that Sun has reportedly filed a huge number of patents covering ZFS and has refused to make them available for anything other than Solaris --- and there are senior Sun programmers who have on record stated that one of the reasons why Sun picked the CDDL was precisely because it was incompatible with GPL and Sun fears Linux ---- I wouldn't bet on Sun being willing to making a patent license available to a hypothetical alternate implementation of the ZFS format for Linux.</i>" He went on to note, "<i>of course, this is all open source. If someone wants to work on reimplementing ZFS from scratch, either in userspace or in the kernel, certainly the Linux community won't st