http://projects.info-pull.com/mokb/
These guys have decided, in the "spirit" of JD Moore, to publish a bug a day in the month of November. Yikes! Dave might not be sleeping too much in the next month, along with the rest of the kernel developers. Is it really too much to ask for private disclosure first? Nahhhh, screw everybody.
******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** *******************************************************************************
ons, 01 11 2006 kl. 21:57 -0600, skrev Gilbert Sebenste:
http://projects.info-pull.com/mokb/
These guys have decided, in the "spirit" of JD Moore, to publish a bug a day in the month of November. Yikes! Dave might not be sleeping too much in the next month, along with the rest of the kernel developers. Is it really too much to ask for private disclosure first? Nahhhh, screw everybody.
Excellent idea, more fixed bugs is better.. Although my thoughts do go out to poor Dave, I hope he gets his minion soon or how about adding more people to the army of clones named Ingo Molnar?
- David
On Wed, 2006-11-01 at 21:57 -0600, Gilbert Sebenste wrote:
http://projects.info-pull.com/mokb/
These guys have decided, in the "spirit" of JD Moore, to publish a bug a day in the month of November. Yikes! Dave might not be sleeping too much in the next month, along with the rest of the kernel developers. Is it really too much to ask for private disclosure first? Nahhhh, screw everybody.
I, for one, think that this is a great idea. Finding and fixing bugs in something as critical as the kernel (especially the filesystem code as I understand their page) is a definite plus.
Though, DaveJ will likely not get much sleep. He needs his minion soon. :)
On Wednesday 01 November 2006 23:23, Peter Gordon wrote:
I, for one, think that this is a great idea. Finding and fixing bugs in something as critical as the kernel (especially the filesystem code as I understand their page) is a definite plus.
Finding the bugs is great, however reporting security flaws to vendor-sec and allowing vendors to coordinate in releasing the right fix at the same time is better for the end users and community. Just dumping a new vulnerability a day to public space is just creating chaos. Vendors will scramble to fix the flaw, different patches will be used, updates will be rushed out, etc...
On Wed, 2006-11-01 at 23:30 -0500, Jesse Keating wrote:
On Wednesday 01 November 2006 23:23, Peter Gordon wrote:
I, for one, think that this is a great idea. Finding and fixing bugs in something as critical as the kernel (especially the filesystem code as I understand their page) is a definite plus.
Finding the bugs is great, however reporting security flaws to vendor-sec and allowing vendors to coordinate in releasing the right fix at the same time is better for the end users and community. Just dumping a new vulnerability a day to public space is just creating chaos. Vendors will scramble to fix the flaw, different patches will be used, updates will be rushed out, etc...
Right. I didn't catch that aspect of it. Thanks for the explanation. O:) -- Peter Gordon (codergeek42) GnuPG Public Key ID: 0xFFC19479 / Fingerprint: DD68 A414 56BD 6368 D957 9666 4268 CB7A FFC1 9479 My Blog: http://thecodergeek.com/blog/
On Wed, Nov 01, 2006 at 23:30:01 -0500, Jesse Keating jkeating@redhat.com wrote:
On Wednesday 01 November 2006 23:23, Peter Gordon wrote:
I, for one, think that this is a great idea. Finding and fixing bugs in something as critical as the kernel (especially the filesystem code as I understand their page) is a definite plus.
Finding the bugs is great, however reporting security flaws to vendor-sec and allowing vendors to coordinate in releasing the right fix at the same time is better for the end users and community. Just dumping a new vulnerability a day to public space is just creating chaos. Vendors will scramble to fix the flaw, different patches will be used, updates will be rushed out, etc...
Not everyone aggrees with that stance. There is another view that letting everyone know at once let's sysadmins do mitigation sooner than if they waited for the vendors to simultaneously release updates.
However sitting on bugs (so as to release one a day) without notifying vendors or the public is a not nice thing to do.
On Wed, Nov 01, 2006 at 09:57:46PM -0600, Gilbert Sebenste wrote:
http://projects.info-pull.com/mokb/
These guys have decided, in the "spirit" of JD Moore, to publish a bug a day in the month of November. Yikes! Dave might not be sleeping too much in the next month, along with the rest of the kernel developers. Is it really too much to ask for private disclosure first? Nahhhh, screw everybody.
We've been playing with the fsfuzzer tool referenced there for a while (and several other similar tools -- in fact, the recent 1k block bug was found by a different filesystem fuzz tool), and people are already looking into bugs found by it. Eric Sandeen already fixed up a few problem areas in ext3 for example, which is fixed in the soon-to-be-released update for FC5/FC6.
I don't think I'm going to lose any more sleep than usual :)
Dave
-
Bruno Wolff III -
Dave Jones -
David Nielsen -
Gilbert Sebenste -
Jesse Keating -
Peter Gordon