On 7/15/08, Linus Torvalds <torvalds@linux-foundation.org> wrote:
quoted text
>
>
> On Tue, 15 Jul 2008, Linus Torvalds wrote:
>> 
>> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's 
>> the "look at the source" approach.
>
> Btw, and you may not like this, since you are so focused on security, one 
> reason I refuse to bother with the whole security circus is that I think 
> it glorifies - and thus encourages - the wrong behavior.
>
> It makes "heroes" out of security people, as if the people who don't just 
> fix normal bugs aren't as important.
>
> In fact, all the boring normal bugs are _way_ more important, just because 
> there's a lot more of them. I don't think some spectacular security hole 
> should be glorified or cared about as being any more "special" than a 
> random spectacular crash due to bad locking.

I hate to state the obvious, but there's a reason security holes are treated differently - because they're *not* *obvious*. If a system is crashing spectacularly, generally someone notices and tries to fix it. On the other hand, security holes are usually invisible in normal operation until a hacker uses one to walk off with tens of thousands of people's credit card details. That's why there's so much effort put into tracking them.

quoted text
> Security people are often the black-and-white kind of people that I can't 
> stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in 
> that they make such a big deal about concentrating on security to the 
> point where they pretty much admit that nothing else matters to them.
>
> To me, security is important. But it's no less important than everything 
> *else* that is also important!

True, there are other serious types of bugs (silent data corruption is one particularly nasty one). However, for *any* serious bug, it's important to be clear on what the likely impact is and what's affected. This goes particularly for the ones that might otherwise not be obvious to the person affected until it's too late, such as security and silent data corruption bugs, but really it applies to all serious bugs. I'm not convinced these descriptions are clear enough.

Aidan
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/