Home

Is security bugs just normal bugs?

Submitted by xqus on Wed, 07/16/2008 - 20:04

I just got to ask you this: Is security bugs just normal bugs? Or should they be treated special?

The reason I ask, is because of a statement made by Linus Torvalds in a discussion on the Linux kernel mailinglist just a few days ago.

So I personally consider security bugs to be just "normal bugs". I don't
cover them up, but I also don't have any reason what-so-ever to think it's
a good idea to track them and announce them as something special.

I will not debate the Linux way of handling security issues, or if the kernel developers are covering up security issues. That's a whole different question.

So, Linus thinks of security bugs to be just normal bugs. I don't agree.

So why should we treat security issues different?
Because they are different. Normal bugs can't harm you unless your actions trigger them. And when they do, you will create a bug report and the issue will be fixed, hopefully.
Security issues will in most cases not be uncovered with normal use of the system. It needs special testing. And, let's face it. If you don't give the person who found the bug some credit, people will stop looking. If your community don't look for them, some black-hat hacker will.

Another reason is that the internet is getting more and more like the streets if a mafia movie from the 50s. Filled with crime. One of the most important things in theese days is to keep up-to-date with the security fixes. But how are you supposed to do that if you don't know if a release is a security update or just a normal bugfix release fixing something that already works fine on your computer? You don't. Security bugs needs special treatment.

In fact, all the boring normal bugs are _way_ more important, just because
there's a lot more of them. I don't think some spectacular security hole
should be glorified or cared about as being any more "special" than a
random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can't
stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in
that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.

Don't get me wrong. Normal bugs needs to be fixed, but security issues should be fixed a lot faster. And the users should be aware that you just fixed a security issue, and that they should upgrade.

And for the record. Don't think less of the monkeys. Atleast they know what's best for them. ;)

Tags:

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><pre><blockquote>
  • Lines and paragraphs break automatically.
  • Insert Flickr images: [flickr-photo:id=230452326,size=s] or [flickr-photoset:id=72157594262419167,size=m].

More information about formatting options

del.icio.us bookmarks

saved by 10 other people

RSS, XHTML, CSS

Drupal Themes Design by SEOposition.com