| General > General Technical Chat |
| University of Minnesota Linux code security issues; banned and to be removed |
| << < (20/23) > >> |
| magic:
--- Quote from: ataradov on April 29, 2021, 09:11:05 pm ---Their model matches standard industry practices. You can do this with any other project, open, or closed. --- End quote --- You are an embedded developer, we get it. You guys are infamous for your level of security :P Not everybody enjoys the same luxury, though. Some software needs to has less bugs than industry average and has to face severely adversarial environment, such as just about any network or a multi-user machine for example. I was under impression that OS kernels do belong to this group. I disagree about every other project, open or closed. For starters, you wouldn't even be able to submit patches like that to Windows. And even if you did, say by including them with an email to security@microsoft.com warning about a 0-day you just found, something makes me feel that they would review your fix quite thoroughly before shipping it. And remember, Linux is the guys who used to laugh at Microsoft 10 years ago. :-DD It's simply pathetic, there is no excuse. edit It's doubly pathetic because I still have seen no evidence nor admission from the submitters that the patches which actually made it to stable kernels :palm: were malicious. Remember, the deliberately malicious patches have been "outed" by the submitters themselves as soon as they received approval on the mailing list. |
| ataradov:
--- Quote from: magic on April 30, 2021, 06:35:16 am ---I was under impression that OS kernels do belong to this group. --- End quote --- That is up to kernel authors to decide how to run their project. If you think their code quality is not sufficient - don't use it. --- Quote from: magic on April 30, 2021, 06:35:16 am ---For starters, you wouldn't even be able to submit patches like that to Windows. --- End quote --- Do you really think that out of 1000's of programmers at Microsoft nobody left a juicy hole for later use? Are you sure that some of the huge holes that we are observing weekly are not introduced on purpose? And even if we say that there are no intentional bugs. Why is Microsoft so bad at developing that their stuff gets hacked all the time? May be we need UoM to write an article how Microsoft needs to do better code reviews before accepting new code? I bet improved CoC would go a long way. Is there any indication that Linux has more bugs than Windows as a result of their "poor" development process? |
| magic:
I think they understand that a threat exists and must have review in place, or things would be much worse like they used to be in the past. And Windows is a much more juicy target too. And if you want to compare Windows vs Linux, don't forget to include all bugs in GNOME and systemd :P |
| ataradov:
Linux also has a review in place. Reviews do not catch everything. As I said, this is pretty standard in any practical industry. You can bog everything down in reviews that you will never do anything. And yes, the most secure software is the one that does not exist. And which is juicier is a question for server environment. |
| bd139:
--- Quote from: magic on April 30, 2021, 06:44:20 am ---I think they understand that a threat exists and must have review in place, or things would be much worse like they used to be in the past. And Windows is a much more juicy target too. And if you want to compare Windows vs Linux, don't forget to include all bugs in GNOME and systemd :P --- End quote --- Windows being a juicer target is the big deal. If one day it isn’t then it’s game over. There are numerous really bad privsep problems in Linux. A fine example is asking yourself what a compromised Firefox process can access. The answer is anything in your home directory. People make a big deal about that not being a system level compromise but if your data is borked then there’s no point having the system. There is at least proper sandboxing on macOS and windows for that scenario… Server side isn’t much better. I’ve never seen anyone set up nginx properly for example. LXC is slowly fixing that but it’s probably better to subcontract that concern out to amazon and use their product abstractions as your security layering now. |
| Navigation |
| Message Index |
| Next page |
| Previous page |