Re: Security people are leaches. [sic]

[pageexec () freemail hu]

On 6 Aug 2009 at 21:42, Adrien Kunysz wrote:

> On Sat, Aug 01, 2009 at 01:46:07PM +0200, Peter Busser wrote:
> > A secure system is one which is implemented to EXACTLY fit its specification,
> > nothing more, nothing less.
>
> Then we are back to "all bugs are security bugs and there is no point in
> trying to make any distinction".

except we don't live in a black and white world. 'security bug' or heck,
just 'bug' is not a binary property, there're many shades of grey in what
exactly the bug accomplishes. it's clearly not enough to state that 'this
commit fixes something but i did not want to bother to understand what',
users of said commits need more information than that. fortunately not all
developers share linus' mindset although their efforts are sometimes in
vain when what he commits intentionally omits security relevant information.

> Linus is obviously not interested in trying to make the distinction,

even if he was, he's not qualified to do that so it's a moot point. but he
can and should encourage active research because of his position instead of
downplaying the issue or outright biting the proverbial hand that feeds
him/them.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave