"Hemmann, Volker Armin"
<volker.armin.hemmann tu-clausthal.de> posted
200701172222.16480.volker.armin.hemmanntu-clausthal.de, excerpted below,
on Wed, 17 Jan 2007 22:22:16 +0100:
> NVIDIA was made aware of a problem with our 1.0-8774
driver that caused an X
> Server crash on July 2006 through a posting on
nvnews.net. The problem was
> not identified as a security risk.
This is the core of the problem, right here.
Putting it in non-technical terms, if the program is caused
to crash, by
definition, it performed an action the programmer hadn't
anticipated, or
it would have been tested for and dealt with. Since a
non-trivial number
of these crashes are known to have security implications,
and we've just
demonstrated that the programmer hadn't anticipated the
issue and thus
couldn't protect against it, any such crash must be treated
as a potential
security issue until proven otherwise. Since it's generally
easier, for
someone who has the code anyway, to just find and fix the
bug than to
demonstrate whether it's a security issue or not, that's
what usually
happens, and it's never known whether it was a security
issue.
Any crash of a native machine coded binary must be assumed
to have
security implications unless it is demonstrable that's not
the case, and
prioritized accordingly. Since this one WAS a security
issue, that could
not be demonstrated, and NVidia erred in treating it as a
non-security-issue bug. Had they acted correctly, they
would have treated
it as a potential security issue, giving it according
priority while
fixing it, and released the bug-fix as a potential security
fix, even if
the issue had never been confirmed as a security vuln.
This demonstrates quite well one of the issues with
binary-only code, too.
First, virtually all non-trivial code, proprietary source or
FLOSS, very
reasonably comes with a disclaimer absolving the author of
responsibility
if the code does something unintended. It would be insane
to do
otherwise, given the difficulty of anticipating all possible
situations
under which the code might be used. That's not a problem
and as I said is
pretty much universal in the software industry, open source
or not.
However, while open code (viewable without NDA or the like)
gives the user
the ability to verify for themselves the degree of risk, or
have someone
they trust do it if they don't have the skills themselves to
do it,
"black-box" proprietary code not only disclaims
any responsibility for
problems, but provides no way for the user to do his own
evaluation (or
arrange for a party he trusts to do so). The user is asked
to agree to
absolve the author of responsibility, while no method is
provided for same
user to intelligently ascertain for themselves what's in
that black box
they are being asked to take responsibility for themselves!
IMO, that's
INSANE, and one reason I can never agree to the EULA most
proprietary
software requires one agree to.
While I agree it's unreasonable to NOT have a disclaimer
absolving the
author of responsibility for damages, I'm not going to
absolve someone
from responsibility for their code without first having the
ability to
check it myself, or have someone of my choosing do so. That
by definition
then excludes from consideration anything closed source,
since they very
reasonably only let me run it on condition I absolve them
of
responsibility for what it might do, but (IMO) unreasonably
expect me to
simply do so with no ability to have a look at what the code
might do
myself, or have someone I trust have a look at it for me.
As it happens, I don't personally have the skills to verify
the quality and
security of the code. However, that "someone I
trust" is the FLOSS
community, including the authors willing to put their source
code out
there for examination in the first place. By contrast, I do
NOT trust
authors not willing to take that step, yet still require me
to agree they
have no responsibility if the code doesn't work as intended
if I choose to
use their programs, so I just choose not to make those
agreements, and
consequently can't use their programs.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."
Richard Stallman
--
gentoo-amd64gentoo.org mailing list
|