Linux creator Linus Torvalds had a few things to say this week about the way potential security issues are disclosed to fellow open sourcers. And it wasn’t all good.
His comments came as part of a mailing list discussion among kernel developers about creating a security contact point for people to use when potential kernel security issues arise.
According to kernel developer Chris Wright,who began the discussion thread, kernel security issues are currently discussed in multiple locations, including the Linux Kernel mailing list,
Kernel maintainers and the limited access vendor-sec mailing list. Membership to the vendor-sec mailing list is decided by consensus among existing members, which includes most of
the major Linux distributions. In addition, security advisories discussed on the list are
embargoed so vendors have time to prepare fixes before full public disclosure.
Torvalds responded that the idea of a central contact point sounded like a good thing to have, as is maintaining limited access. However, he said he is strongly opposed to an embargo on the list for a variety of reasons.
“I’d be very happy with a ‘private’ list in the sense that people wouldn’t feel pressured to fix it that day,” Torvalds wrote. “And I think it makes sense to have some policy where we don’t necessarily make them public immediately in order to give people the time to discuss them. But it should be very clear that no
entity (neither the reporter nor any particular vendor/developer) can require silence,
or ask for anything more than ‘let’s find the right solution.’
“Otherwise it just becomes politics: You end up having security firms that want
a certain date because they want a PR blitz, and you end up having vendors who want
a certain date because they have release issues,” he said.
“The only thing I really care about is that we can serve the people who depend
on us by giving them source code that is as bug-free and secure as we can make it,”
Torvalds explained. “If that means that we should make the changelogs be a bit
less verbose because we don’t want to steal the thunder from the people who found
the problem, that’s fine.”
Delayed disclosure, as is currently done by the vendor-sec list, is broken, in
Torvalds’ opinion. He said he strongly believes that users should get updates before a disclosure is made.
“I think kernel bugs should be fixed as soon as humanly possible, and any
delay is basically just about making excuses,” Torvalds continued. “And that means
that as many people as possible should know about the problem as early as possible,
because any closed list (or even just anybody sending a message to me personally)
just increases the risk of the thing getting lost and delayed for the wrong reasons.”
Torvalds said he would accept a totally open list with no embargo
and no limits on who reads it. However he does admit that his preferences are extreme
and that there needs to be some middle ground between that and vendor-sec, which
has both readership and time limits.
The current vendor-sec policy means that in some cases, vendors fix kernel
security issues before they are fixed on the main kernel.org development site.
“So it’s embarrassing to everybody if the kernel.org kernel has a security
hole for longer than vendor kernels, but at the same time, most users run vendor
kernels anyway, so maybe the current setup is the proper one, and the kernel.org
kernel should be the last one to get the fix,” Torvalds wrote. “Whatever. I
happen to believe in openness, and vendor-sec does not. It’s that simple.”
The bottom line on kernel security, though, is that the kernel does have
bugs that will need to be exposed and then patched. The creator of Linux made no
excuses for kernel security and actually noted that users should take additional
precautions on their own.
“Quite frankly, nobody should ever depend on the kernel having zero holes,”
Torvalds wrote. “We do our best, but if you want real security, you should have
other shields in place.”
Among those other shields are components like exec-shield (which at points has been discussed as a possible addition to the main kernel). Torvalds also noted that using a compiler that places guard values on a stack frame is also a shield.
In addition, he said he’s OK with the concept of security via obscurity but doesn’t believe that secrecy is a good approach to securing the Linux kernel.
“I believe that ‘security through obscurity’ can actually be one valid level of security (after all, in the extreme case, that’s all a password ever really is),” Torvalds wrote.
“So I believe that in the case of hiding vulnerabilities, any ‘security gain’ from the obscurity is more than made up for by all the security you lose through delaying action and not giving people information about the problem.”