There’s been a lot of discussion on the intertubes about some comments that Linus Torvalds, the creator of Linux has made about security vulnerabilities and disclosure.Not surprisingly, there’s been a fair amount of discussion amongst the various MSFT security folks about his comments and about the comments about his comments (are those meta-comments?).
The whole thing started with a posting from Linus where he says:
Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies – and thus encourages – the wrong behavior.
It makes “heroes” out of security people, as if the people who don’t just fix normal bugs aren’t as important.
He also made some (IMHO) unprofessional comments about the OpenBSD community, but I don’t think that’s relevant to my point.
Linus has followed up his initial post with an interview with Network World where he commented:
“You need to fix things early, and that requires a certain level of disclosure for the developers,” Torvalds states, adding, “You also don’t need to make a big production out of it.””
“What does the whole security labeling give you? Except for more fodder for either of the PR camps that I obviously think are both idiots pushing for their own agenda?” Torvalds says. “It just perpetrates that whole false mind-set” and is a waste of resources, he says.
As a part of our internal discussion, Crispin Cowan pointed out that Linus doesn’t issue security updates for Linux, instead the downstream distributions that contain the Linux kernel issue security fixes.
That comment was the catalyst – after he made the comment, I realized that I think I understand the meaning behind Linus’ comments.
IMHO, Linus is thinking about security bugs as an engineer. And as an engineer, he’s completely right (cue the /. trolls: “MSFT engineer thinks that Linux inventor is right about something!”).
As a software engineer, I fully understand where Linus is coming from: From a strict engineering standpoint, security bugs are no different from any other bugs, and treating them as somehow “special” denigrates other bugs. It’s only when you consider the consequences of security bugs that they become more interesting.
A non security bug can result in an unbootable system or the loss of data on the affected machine. And they can be very, very bad. But security bugs are special because they’re bugs that allow a 3rd party to mess with your system in ways that you didn’t intend.
Simply put, your customers data is at risk from security bugs in a way that normal defects aren’t. There are lots of bad people out there who would just love to exploit any security defect in your product. Security updates are more than just “PR”, they provide critical information that customers use to help determine the risk associated with taking a fix.
Every time your customer needs to update the software on their computer, they take the risk that the update will break something (that’s a large part of the reason that that MSFT takes it’s time when producing security fixes – we test the heck out of stuff to reduce the risk to our customers). But because the bad guys can use security vulnerabilities to compromise their customers data, your customers want to roll out security fixes faster than they roll out other fixes.
That’s why it’s so important to identify security fixes – your customers use this information for risk management. It’s also why Microsoft’s security bulletins carry mitigating factors that would help identify if customers are at risk. For example MS08-045 which contains a fix for CVE-2008-2257 has a mitigating factor that mentions that in Windows Server 2003 and Windows Server 2008 the enhanced security configuration mode mitigates this vulnerability. A customer can use that information to know if they will be affected by MS08-045.
But Linus’ customers aren’t the users of Linux. They are the people who package up Linux distribution. As Crispin commented, the distributions are the ones that issue the security bulletins and they’re the ones that work with their customers to ensure that the users of the distribution are kept safe.
By not clearly identifying which fixes are security related fixes, IMHO Linus does his customers a disservice – it makes the job of the distribution owner harder because they can’t report security defects to their customers. And that’s why reporting security bug fixes is so important.
Edit: cleared out some crlfs