From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DFDA21381F3 for ; Fri, 9 Aug 2013 13:32:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 813ACE0D2D; Fri, 9 Aug 2013 13:32:39 +0000 (UTC) Received: from jacques.telenet-ops.be (jacques.telenet-ops.be [195.130.132.50]) by pigeon.gentoo.org (Postfix) with ESMTP id 76AFFE0CF2 for ; Fri, 9 Aug 2013 13:32:38 +0000 (UTC) Received: from TOMWIJ-GENTOO ([94.226.55.127]) by jacques.telenet-ops.be with bizsmtp id AdYd1m00m2khLEN0JdYdst; Fri, 09 Aug 2013 15:32:37 +0200 Date: Fri, 9 Aug 2013 15:28:54 +0200 From: Tom Wijsman To: gentoo-dev@lists.gentoo.org Cc: rich0@gentoo.org, gregkh@gentoo.org Subject: Re: [gentoo-dev] Vanilla sources stabilization policy change Message-ID: <20130809152854.16d58816@TOMWIJ-GENTOO> In-Reply-To: References: <20130724175410.10332.qmail@stuge.se> <20130724190130.15592.qmail@stuge.se> <20130724191515.16758.qmail@stuge.se> <20130724230911.GA12710@kroah.com> <20130807113721.4a80eba2@TOMWIJ-GENTOO> <20130807224434.GA7359@kroah.com> <20130808043732.268e8950@TOMWIJ-GENTOO> <20130808223245.GB30314@kroah.com> <20130809103458.5e42c611@TOMWIJ-GENTOO> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.20; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/RLtYpS5NIMqIU9uqtr5Yaj3"; protocol="application/pgp-signature" X-Archives-Salt: 62ca661b-a219-4333-a050-7af32719f0d7 X-Archives-Hash: b386f2be7e43cc0b4429ae1e5652442d --Sig_/RLtYpS5NIMqIU9uqtr5Yaj3 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Fri, 9 Aug 2013 06:38:56 -0400 Rich Freeman wrote: > My sense is that Greg is using the term security bugs to refer to > implementation errors that could be exploited to obtain unintended > access to a system. Using this definition, any bug could be a > security bug, and figuring this out is about as easy as figuring out > whether a particular move is a good or bad one in chess. That's indeed not what I understood; Greg, was this your though? > I think Tom is using the term security bug to refer to a bug that has > a published exploit against it (ie a CVE/etc). Using this definition > it is clear whether a particular bug is a security bug - it is either > in the database or it isn't. This is indeed what I assumed Greg meant; so, thanks for clarifying. > I don't follow the kernel closely, but my guess is that they stay > well-ahead of CVE most of the time. I'd certainly say that any > project should clearly document which releases incorporate fixes to > CVEs - perhaps the kernel already does this. Currently I don't see this; so, my assumption was that it does not currently happen, as far as I have seen this appears to happen on an individual basis, but I assume not everyone does report to CVE. Reporting to CVE is much more work than it takes to tag a commit; so, as you can see tagging here might be a benefit to lift the work to other people that have more time for reporting it as a CVE, etc... > Since most bugs get fixed before anybody bothers to file a CVE, I'm > not sure how much that actually matters in practice. It is dangerous to assume something you fix isn't known yet. As I said before, it buys the people that do know time; whether or not a CVE or any other form of public or less public documentation on it exists. --=20 With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : TomWij@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D --Sig_/RLtYpS5NIMqIU9uqtr5Yaj3 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBAgAGBQJSBO6WAAoJEJWyH81tNOV9q4wIAKxhRykeaYqbeMHPEr6XomFb CX65K3Qxq89YCZrmnrTUKTRflX1zKIsCSTguKrKCH/2AwabB+63dshb5F09u+TT8 uiQVhQl4FqLXNzn2Y9keelkSyvsO6+PlaPuVaMrSXUY0aZ2zQgyf6Enbk2agv/de fy6GU/A6pkF51C9JI/isJ7pX8FztIK7djcAIQV6zNT89Rtw48VwyJkSh65/X3/4S uZCuHdAYXlr8cU59nnBTIGxqDf5vEepZQbblKkoPFLATRvIhLj9RY7Rax/pcDY+N 0GyVOpFgEpYCreWKfECCTfY02QSD+MSw6B+ko9KfOP67ih7Y9bNxaGT/1lafZvY= =bkWZ -----END PGP SIGNATURE----- --Sig_/RLtYpS5NIMqIU9uqtr5Yaj3--