Security problems need to be made public: Linus Torvalds
Posted: Wed Jan 21, 2015 10:54 am
Summary:The creator of the Linux kernel and Git has said that security issues should be publicly disclosed, not swept under the rug where vendors can leave them unsolved for years.
Linus Torvalds has told a Q&A session at Linux.conf.au that he is a huge believer in disclosing security issues publicly.
Sharing the stage with Bdale Garbee, chairman of the Debian technical committee, Samba author Andrew "Tridge" Tridgell, and kernel contributor Rusty Russell, Torvalds said on Friday that security is a hard problem, and it is satisfying to see more public disclosures.
"People are less willing sometimes to brush the problem under the mat, and leave it up to vendors that have disclosures, like infinity long disclosure times," he said. "I'm a huge believer in just disclosing, still somewhat responsibly, but security problems need to be made public -- and there are people who argue, and have argued for decades, that you never want to talk about security problems because that only helps the black hats -- and the fact is that I think you absolutely need to report them, and you need to report them in a reasonable time frame.
"The kernel security list [time frame] is admittedly five working days, which some people think it's a bit extreme, and in other projects it might be a month or a couple of months, but that's still much better than the years and years of silence which we used to have."
Garbee said he is pleased to see activities such as the Linux Foundation core infrastructure initiative happen.
"The idea that we're at least trying to figure out how to get more eyeballs on some of the things that we all agree are some of the most important elements of code in our infrastructure, and that we found the corporate members of our extended community willing to ante up to help make that happen, is pretty cool."
Torvalds' comments come amid a spat of words and bug disclosures between Microsoft and Google, respectively. Last week, a series of Windows security issues were automatically publicly disclosed by Google after its Project Zero 90-day deadline passed.
In one case, Microsoft said that a fix was set to be released two days after Google's automated disclosure; and in another, Google's James Forshaw said that Microsoft had planned a fix for another this month, but it would be delayed until February thanks to compatibility issues discovered by Microsoft.
Microsoft said in a statement over the weekend that it believes security researchers should work with software companies to privately disclose vulnerabilities and work together to further protect customers. Chris Betz, senior director of the Microsoft Security Response Center, said in a blog post that what is right for Google with its disclosure policy is not always right for customers.
"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result," he said. "We urge Google to make protection of customers our collective primary goal."
In the Q&A session at Linux.conf.au, Torvalds also said he is pleased that the Linux kernel played a part in making free software more approachable and open.
"I actually think one of the things that Linux has been really good at ... and this is going to raise a few hackles. I like open source, and I like this whole working together with commercial companies, and this whole notion that you don't need to vilify people who also do closed source," he said.
"So, for me personally, one of the big things I'm happy about is that I was part of the group, who tried to take -- and now, this is when Tridge will stand up and give the other answer -- who tried to take this very us against the world approach of free software and made it more open, not just in name, but also acceptable to people who don't necessarily believe in our values, but believe that our model is better and that's, to me, something that Linux was really instrumental in.
"At the same time, I'm really happy about Git too, because I think Git has spread more than the kernel in some respects, and maybe I'll be remembered more for Git than Linux. We'll see."
Linus Torvalds has told a Q&A session at Linux.conf.au that he is a huge believer in disclosing security issues publicly.
Sharing the stage with Bdale Garbee, chairman of the Debian technical committee, Samba author Andrew "Tridge" Tridgell, and kernel contributor Rusty Russell, Torvalds said on Friday that security is a hard problem, and it is satisfying to see more public disclosures.
"People are less willing sometimes to brush the problem under the mat, and leave it up to vendors that have disclosures, like infinity long disclosure times," he said. "I'm a huge believer in just disclosing, still somewhat responsibly, but security problems need to be made public -- and there are people who argue, and have argued for decades, that you never want to talk about security problems because that only helps the black hats -- and the fact is that I think you absolutely need to report them, and you need to report them in a reasonable time frame.
"The kernel security list [time frame] is admittedly five working days, which some people think it's a bit extreme, and in other projects it might be a month or a couple of months, but that's still much better than the years and years of silence which we used to have."
Garbee said he is pleased to see activities such as the Linux Foundation core infrastructure initiative happen.
"The idea that we're at least trying to figure out how to get more eyeballs on some of the things that we all agree are some of the most important elements of code in our infrastructure, and that we found the corporate members of our extended community willing to ante up to help make that happen, is pretty cool."
Torvalds' comments come amid a spat of words and bug disclosures between Microsoft and Google, respectively. Last week, a series of Windows security issues were automatically publicly disclosed by Google after its Project Zero 90-day deadline passed.
In one case, Microsoft said that a fix was set to be released two days after Google's automated disclosure; and in another, Google's James Forshaw said that Microsoft had planned a fix for another this month, but it would be delayed until February thanks to compatibility issues discovered by Microsoft.
Microsoft said in a statement over the weekend that it believes security researchers should work with software companies to privately disclose vulnerabilities and work together to further protect customers. Chris Betz, senior director of the Microsoft Security Response Center, said in a blog post that what is right for Google with its disclosure policy is not always right for customers.
"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result," he said. "We urge Google to make protection of customers our collective primary goal."
In the Q&A session at Linux.conf.au, Torvalds also said he is pleased that the Linux kernel played a part in making free software more approachable and open.
"I actually think one of the things that Linux has been really good at ... and this is going to raise a few hackles. I like open source, and I like this whole working together with commercial companies, and this whole notion that you don't need to vilify people who also do closed source," he said.
"So, for me personally, one of the big things I'm happy about is that I was part of the group, who tried to take -- and now, this is when Tridge will stand up and give the other answer -- who tried to take this very us against the world approach of free software and made it more open, not just in name, but also acceptable to people who don't necessarily believe in our values, but believe that our model is better and that's, to me, something that Linux was really instrumental in.
"At the same time, I'm really happy about Git too, because I think Git has spread more than the kernel in some respects, and maybe I'll be remembered more for Git than Linux. We'll see."