Friday, August 22, 2008

Torvalds: Fed up with the 'security circus'
Creator of the Linux kernel explains why he finds security people to be so anathema

Ellen Messmer (Network World) 15/08/2008 10:25:00

Linus Torvalds, creator of the Linux kernel, says he's fed up with what he sees as a "security circus" surrounding software vulnerabilities and how they're hyped by security people.

Torvalds explained his position in an e-mail exchange with Network World this week. He also expanded on critical comments he made last month that caused a stir in the IT industry.

Last month Torvalds stated in an online posting that "one reason I refuse to bother with the whole security circus is that I think it glorifies -- and thus encourages -- the wrong behavior. It makes 'heroes' out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are way more important, just because there's a lot more of them."

Never one to mince words, Torvalds also lobbed a verbal charge at the OpenBSD community: "I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them."

This week Torvalds -- who says the only person involved in the OpenBSD community with whom he talked to about the "monkeys" barb found it funny -- acknowledges others probably found it offensive.

Via e-mail, he also explains why he finds security people to be so anathema.

Too often, so-called "security" is split into two camps: one that believes in nondisclosure of problems by hiding knowledge until a bug is fixed, and one that "revels in exposing vendor security holes because they see that as just another proof that the vendors are corrupt and crap, which admittedly mostly are," Torvalds states.

Torvalds went on to say he views both camps as "crazy."

"Both camps are whoring themselves out for their own reasons, and both camps point fingers at each other as a way to cement their own reason for existence," Torvalds asserts. He says a lot of activity in both camps stems from public-relations posturing.

He says neither camp is absolutely right in any event, and that a middle course, based on fixing things as early as possible without a lot of hype, is preferable.

"You need to fix things early, and that requires a certain level of disclosure for the developers," Torvalds states, adding, "You also don't need to make a big production out of it."

Torvalds also says he doesn't care for labeling updates and changes to Linux as a security fix in a security advisory.

"What does the whole security labeling give you? Except for more fodder for either of the PR camps that I obviously think are both idiots pushing for their own agenda?" Torvalds says. "It just perpetrates that whole false mind-set" and is a waste of resources, he says.

It's better to avoid sticking solely to either "full and immediate disclosure" or ignoring bugs that might embarrass vendors, he points out. "Any situation that allows the vendor to sit on the bug for weeks or months is unacceptable, as is any situation that makes it harder for people who find problems to talk to technical people."

Torvalds says he's skeptical about the value of synchronized releases among vendors that favor the idea of an embargo of software vulnerability information until a fix from a vendor is ready.

That process discourages thinking about design changes to make it harder to have security bugs, Torvalds says. "So, the whole 'embargoes are good' mentality is just corruption from the vendors," he states. "But on the other hand, disclosure should not be the goal."

"I don't believe in either camp," Torvalds concludes. What he does favor is to "have a model where security is easier to do in the first place -- that is, the Unix model -- but make it easy for people to report bugs with no embargo, but privately."

He says the Linux kernel security list "is private" in the sense that "we don't need to leak things out further" to get some software issue fixed. He says the process allows, though doesn't encourage, a five-day embargo, and "even then, I will forward it to technical people on an 'as needed' basis, because even that embargo secrecy is not some insane absolute thing."


Ubuntu sponsor joins Linux Foundation

Ubuntu sponsor joins Linux Foundation
Paul Krill (InfoWorld) 19/08/2008 03:23:00

Canonical, the commercial sponsor of the Ubuntu Linux distribution, has joined the Linux Foundation, the foundation said Monday.

Canonical is an important new member, the organization said. "They have rallied the cause of cross-industry, cross-community collaboration for years," said Jim Zemlin, foundation executive director, in a statement released by the foundation.

Canonical also supports open source projects such as Bazaar, for revision control; the Storm object-relational mapper, and the Upstart start-up manager.

"The Linux Foundation occupies a critical, non-commercial function in the use and popularization of Linux around the world. We've always seen the Linux Foundation's value and are pleased to now become an official member and support its activities. We look forward to working with them to continue the march of Linux in all areas of computing," said Matt Zimmerman, Ubuntu program manager and CTO at Canonical, also in a statement supplied by the foundation.

The Linux Foundation serves as a nonprofit consortium fostering the growth of Linux. It sponsors the work of Linux creator Linus Torvalds.

taken from:

A look at the new tablet Classmate PC

Thursday, August 14, 2008

FOSS Films a requirement in IT education

I recently realized the value utilizing film as a way of popularizing open source, recently we hired a new teacher Mr. Brian De Vivar, another Open source advocate and Ubuntu buff.

When he had to accept another training session in C-office (shipboard office productivity suite for seafarers) which conflicted with his computer fundamentals class, i subbed in his class period. and trying to introduce the concept of open source, I let the students watch "Codebreakers" a documentary of the Free software movement.

I soon realized that it raised a lot of questions from our students. (we have been using open source for quite some time now and Open office/gimp/blender being some of our mainstays).

when the film viewwing was over i gave them time to write reaction paper which was never submitted in time. This also gave Mr. De Vivar time to watch the movie and another one "revolution OS". he later required his students to watch this other film and other students as well.

so our present crop of IT students realized that indeed, theres a new and big world out there with open source.

and so our journey to FOSS continues.

for those who havent seen the movie....

watch them!!!!

Free Domains