"This is the most popular operating system kernel on the planet used by billions of devices." This is exactly why it is important to see how well it is protected. We want it to be as secure as possible. The experiment could not happen at all with the Windows kernel since it's not open source. Some people claim open source has the advantage of many eyes. Is that true? That's the question. When you want to really test your company's security you hire some pen testers. They may find security holes. Don't get triggered if they find some problems. The security of the Linux kernel, the high code churn, the volatility of kernel API changes, kernel CI and automated testing system, the shenanigans around dissing CVE numbers - these are all concerns and topics raised by many security minded people in various konferences. Some knuckleheads get really butt hurt when such questions arise. I follow the GRSecurity and the PaX team's work for decades now. Just take a look at some of the blog posts at https://grsecurity.net/blog - not too rarely it turns out that bug Y which is recently fixed in the kernel (and were present for X years where sometimes X is big number) is already fixed in GRSecurity for many years. With that I don't want to advocate for GRSecurity per se, I'm just always appalled to see how the kernel has serious problems around security and a huge space to improve.
So newbies are not welcome, then how would those three patches from the publication would actually land in the kernel? They would have had the researchers not warned the maintainers after the OK signal was already given. Quote from the publication: "At the same time, we point out the correct fixing of the bug and provide our correct patch. In all the three cases, maintainers explicitly acknowledged and confirmed to not move forward with the incorrect patches" It's all of our interest to make the kernel more secure. Yes, sometimes that means a stealth pen test. Maybe UMN made some mistakes but to ban them is too harsh. The takeaway should be that the patches would have gone through and how that process can be fortified. On Sat, Apr 24, 2021 at 12:52 PM 'Michael Chaney' via NLUG < [email protected]> wrote: > Start reading here: > > > https://lore.kernel.org/linux-nfs/[email protected]/ > > This is one of my favorites, the original is gone but you can get some of > it in the reply: > > https://lore.kernel.org/linux-nfs/yh%2ffm%[email protected]/ > > This is the part - note that Pakki is claiming that he's submitting these > based on a new static analyzer. Just read it: > > "> Greg, > > > > I respectfully ask you to cease and desist from making wild accusations > > that are bordering on slander. > > > > These patches were sent as part of a new static analyzer that I wrote and > > it's sensitivity is obviously not great. I sent patches on the hopes to > get > > feedback. We are not experts in the linux kernel and repeatedly making > > these statements is disgusting to hear. > > [note - he's lying] > > > > Obviously, it is a wrong step but your preconceived biases are so strong > > that you make allegations without merit nor give us any benefit of doubt. > > > > I will not be sending any more patches due to the attitude that is not > only > > unwelcome but also intimidating to newbies and non experts. > > I love this. "unwelcome but also intimidating to newbies and non experts". > > SMH. > > This is the most popular operating system kernel on the planet used by > billions of devices. If you're a "newbie" or "non expert" I would hope > that it's not just "unwelcome" and "intimidating" - I would hope that they > would be outright hostile to you. It's not your playground, idiot. Try > walking into Microsoft and present yourself as a "non expert newbie" and > see if they'll put you right to work on the Windows kernel. Go to Apple > and tell them you're new to programming but you'd like to have commit > rights to the Darwin kernel. See how far you get. > > I am glad to see that the guys working on a kernel that I depend on in > several ways don't welcome "non experts". More of this, please. > > Michael > -- > Michael Darrin Chaney, Sr. > [email protected] > http://www.michaelchaney.com/ > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CAAtfUtFR0j-gGf-TRExNJh0-6DagMmQVCgyW4Tv3uMjAQJi%3D5A%40mail.gmail.com > <https://groups.google.com/d/msgid/nlug-talk/CAAtfUtFR0j-gGf-TRExNJh0-6DagMmQVCgyW4Tv3uMjAQJi%3D5A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHxLa5%3DPv9E4M0Un8O-3jNdhB%3D97hfNjaYEcXfC%2B8Q1AEew%40mail.gmail.com.
