days
-4
-1
hours
0
-1
minutes
-4
-7
seconds
-2
-5
search
JAX Developers Puzzle deadline approaching: Play for a chance to win a complimentary JAX London 2018 ticket!
Let's not piss about

Linux security problems should be public, says Torvalds

Natali Vlatko
Data security image via Shutterstock

Linux founder Linus Torvalds has gone on the record about Linux security disclosures, and his desire to be more responsible with security disclosure timeframes.

At the recent linux.conf.au in Auckland, New Zealand, Linux pioneer Linus Torvalds expressed his views on the need for better security disclosure during a Q&A session with fellow panelists Bdale Garbee, Andrew Tridgell, and kernel coder Rusty Russell.

The linux.conf.au is widely regarded by delegates as one of the best community run Linux conferences worldwide and is one of the foremost open source conferences in the world. Every year open source geeks from across the globe gather to meet their fellow technologists, share the latest ideas and innovations, and spend a week collaborating on free, open source software projects.

Reasonable disclosure

Answering questions about security and bugs in the open source community, one question focused on the way that the reporting of bugs for Linux has changed in the last 12 months. Attending as a keynote speaker, Torvalds admitted that “security is just a hard problem”, however his comments about security were in favour of publicising issues, which Torvalds himself finds personally satisfying:

I’m a huge believer in just disclosing, still somewhat responsibly… but security problems need to be made public. And there are who people argue, and have argued for decades, that you never want to talk about security problems because that only helps the black hats. The fact is that I think you absolutely need to report them and and you need to report them in a reasonable time frame.

The definition of ‘reasonable’ according to Torvalds is what is currently being implemented on the kernel security mailing list, which is five working days. Torvalds accepts that for some people this is “a bit extreme.” While other projects may take a month or two to address certain concerns, Torvalds believes this is much better than preceding attitudes to security, noting the “years and years of silence” that was previously the norm.

SEE ALSO: What David Cameron’s proposed UK encryption ban means for IT

You can watch Torvalds speak at the linux.conf.au panel discussion here.

Author
Natali Vlatko
An Australian who calls Berlin home, via a two year love affair with Singapore. Natali was an Editorial Assistant for JAXenter.com (S&S Media Group).

Leave a Reply

Be the First to Comment!

avatar
400
  Subscribe  
Notify of