Torvalds bashes vendor-sec private Linux security list
Last week, Linux was tagged with a local NULL pointer flaw that could have led to a privilege escalation issue. Linux founder Linus Torvalds pushed a patch upstream quickly and now that patch is in the Linux 2.6.31 -rc6 milestone.
Torvalds notes in the 2.6.31 rc6 releases notes that the issue wasn't as bad as it could have been, and that he would have likely delayed the fix were it not for the fact that a private list (vendor-sec), apparently wasn't private after all.
"There's the NULL pointer fix that was already talked up on Slashdot, but
quite frankly, assuming we got all the "you can't map things at zero"
issues fixed from the last scare, that one hopefully wasn't quite as bad
as it could have been," Torvalds wrote. "What was perhaps an interesting (if trivial) detail is that if it
hadn't been for vendor-sec apparently leaking like a sieve, we'd have
delayed the fix until the next -rc due to trying to be polite to
Back in 2005, Torvalds criticized vendor-sec, arguing that delayed disclosure, as is currently done by the vendor-sec list, is broken. He said he strongly believes that users should get updates before a disclosure is made.
"I think kernel bugs should be fixed as soon as humanly possible, and any
delay is basically just about making excuses," Torvalds said in 2005. "And that means
that as many people as possible should know about the problem as early as possible,
because any closed list (or even just anybody sending a message to me personally)
just increases the risk of the thing getting lost and delayed for the wrong reasons."
I completely agree. Openness and transparency are the key to true security. However, I do also understand how this can put vendors and users at risk, since patches aren't going to be co-ordinated. It's a tough call and very delicate balance that needs to be achieved.