Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Censorship Your Rights Online

The Case For Full Disclosure In The Linux Changelog 234

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.
This discussion has been archived. No new comments can be posted.

The Case For Full Disclosure In The Linux Changelog

Comments Filter:
  • Does this mean that Linux devs and Microsoft agree that full disclosure is bad?

    The kernel is the one thing on my systems that I don't update all that regularly. Mostly because it tends to trash my systems out for whatever reason - so I can see where keeping the security changes out might obfuscate openings for people. But then again - if I know that someone can break into my system because I'm running 2.2.13 - I'm more likely to upgrade, fixing the problem.

    -T
    • You really need to follow the news more closely, as does Jon Lasser.

      Alan Cox did not release the changelogs for Linux kernel 2.20 in the United States for fear of prosecution under the DMCA.

      Cox did release the changelogs internationally, and some of us mirror the censored logs on sites accessible inside the U.S. The reason for the censoring of the logs is that they specify particular applications that can be used to exploit the kernel bug, which could well be interpreted under the DMCA as giving directions to script kiddies.

      • and you might want to read the article before posting?

        While at least some of the security changes made in the prerelease of the 2.2.20 Linux kernel have already been discussed elsewhere, Cox claims that describing these changes might be in violation of the same anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) used to prosecute Russian programmer Dmitri Sklyarov, and cited by Professor Felten in his initial decision not to publish a paper describing weaknesses in SDMI.

        i would say that the author is aware of the reasoning. if you read on you might see his side of the story.
        • Actually, I did read the article, and I stand by my complaint about Lasser. Of course, he's much closer to the truth than the /. poster I was replying to, but I still think he's overstating the case.

          Cox did release the changelogs. He just didn't release them in the United States. Lasser doesn't mention that fact. Apparently, he's unaware of the world past the land of the DMCA.

          • Well, either you are a non-U.S. resident who is insentitive to the restrictions placed on us by the DMCA, in which case your opinion doesn't count, or else you are a scofflaw who thinks that the option to break the law is an acceptive alternative to freedom. Either way, your opinion is flippant and irresponsible.
            • If you track my posts, you'll discover that I'm a Canadian.

              I'm willing to risk arrest if I visit the United States in order to pursue a claim that the DMCA is unconstitutional. I don't believe it is the law in the United States because it violates the Constitution, and I'm willing to risk arrest and imprisonment if I'm wrong.

              I am also willing to allow whichever Americans that view my website to take the same risk as I am willing to.

              That doesn't mean I think Alan Cox is wrong to do what he did... His situation is different from mine.

    • by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Sunday November 11, 2001 @10:35AM (#2550776) Homepage
      Does this mean that Linux devs and Microsoft agree that full disclosure is bad?
      No, Alan's decision simply reflects that full disclosure is already illegal in the U.S. under some circumstances. That's why I think it's very unfair to call Alan's behavior "self-censorship". In fact, it's censorship by the government. I find it hard to believe that publishing ChangeLogs of your own software can conflict with DMCA requirements, but apparently, Alan consulted a lawyer and he told him that it did.

      Whether full disclosure is good or bad in general is a completely different question and not much related to the question whether it is legal or illegal in the U.S. now.

  • i mean, aside from the whole DMCA can of worms, it may help hackers, but if its "secure" in the first place after these changes are put in place. My understanding is that if the attackers know what the changes are, it ought to be irreivant, as they ought not to be able to gain access. This is more like another "security through obscurity" trick, than anything.
    • The issue is whether to document the exact nature of security risks in the first place.

      Not everyone updates their systems to the latest kernel as soon as it is released, so pointing out vulnerabilities in the ChangeLog along with the names of the 'cracker toolz' that exploit them increases the likelihood that systems running older kernels will be attacked.

      This very same problem was seen on the Windows platform with the IIS vulnerabilities exploited by the Code Red worm and it's 'offspring'.

      -Miki
      • First, I agree with the original post that Alan Cox's behavior, aside from the legal issues, was fairly inconsiderate. However, I think that he was conscious of that fact, and as I understand it, he was acting under legal counsel.

        However, you are right: The issue today is when and whether to document the exact nature of security issues.

        Regarding software, I am a strong proponent of full disclosure. System and network security has several aspects, and the real security is found in how the network is designed, so that it can minimize security risks. Two networks running the same software and hardware may posess very different degrees of security due to their underlying infrastructure, etc. So disclosing the exact nature of a software vulnerability is not the same as giving instructions on how to break into a system.

        However full disclosure does accomplish several things:

        1: A reliable way to see which systems are vulnerable.

        2: A clear understanding of what the log signatures of an attack would look like.

        3: A clear understanding of how the exploit works so that administrators can make intelligent choices as to how to reduce or mitigate that risk.

        The first one was covered in the article, but I see the second two as extrmely important as well.
  • by conner_bw ( 120497 ) on Sunday November 11, 2001 @09:43AM (#2550700) Journal
    By disclosing the fact that Alan Cox did not disclose issues of security on Slashdot, you have disclosed unknown information to pro Microsoft media outlets, allowing them to exploit this PR vulnerability against Linux. If you all would have just kept quiet, no one would have known that Alan Cox didn't disclose disclosure and Linux would have been fine. Shame on you!
    • by Anonymous Coward
      Thank you for discosing your meta-discosure position on discosing discosed information.

      I will now disclothe for all the non-disclosure people in this room. Thank you.
  • For God's sake (Score:3, Insightful)

    by trilucid ( 515316 ) <pparadis@havensystems.net> on Sunday November 11, 2001 @09:43AM (#2550702) Homepage Journal

    how many times does it have to be repeated: Disclose, Disclose, Disclose.

    Full disclosure is essential to the success of any project, especially where security is involved. Heck, even Suits (ornery business types) understand this: in a corporation or LLC, lack of disclosure can lead to loss of limited personal liability.

    This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.

    We depend on the proper functioning of group development and understanding in Linux. From folks who just want to keep boxes on their home DSL/cable lines secure, to others (such as myself) who are involved in web hosting businesses, the need is real for disclosure.

    This is very troubling. Surely I'm not getting the whole story here, at least I hope I'm not.

    • This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.
      The changes are documented, the patch is available. Non-U.S. citizens can even read the unabridged ChangeLog on the net. So what? If your local legislation doesn't permit you to access some pieces information, and you want to have this information, it's definitely your problem. This isn't something free software developers can deal with. They can warn you and your representatives before passing harmful legislation (if word about it spreads in time), but if such warnings are ignored and annoying laws are pased in some country, it's better to move on and let those who are affected by the mess fight against it.

      In any case, pushing people towards breaking the DMCA is no solution at all.

    • Put up or shut up (Score:5, Insightful)

      by pbryan ( 83482 ) <email@pbryan.net> on Sunday November 11, 2001 @12:04PM (#2550977) Homepage
      This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.

      And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF [eff.org] to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt [thinkgeek.com] so some of your purchase goes to stop the DMCA?

      If you have, then I applaud your actions and encourage you to continue engaging in constructive solutions. If not, then put up or shut up. Far too many people are bitching about this problem and taking no substantive action.

      It is unreasonable to expect Cox to behave differently. He's seen what happened to Dmitry. He knows what could happen if he were to disclose this information to Americans, then set foot in the United States. Cox did the right thing.

      • And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF [eff.org] to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt [thinkgeek.com] so some of your purchase goes to stop the DMCA?

        The answer is Y-E-S to all but the second action. To be more precise, bought t-shirts for myself and a number of friends. Participated heavily in loads of debate on the subject. Donate routinely to the EFF (it's just a good idea anyhow).

        I do not believe Cox is behaving reasonably. It would be an EXTREMELY tough twist of logic to apply the DMCA to this at all in a real-world situation. I despise the damned law as much as the rest of us on this topic, but I also know what the law says. Cox is essentially using Linux as his own personal soapbox to cry out against the DMCA, possibly partly in humour (since he knows the "true" changelogs will circulate around eventually anyhow).

        Linux is not Cox's soapbox. I have to wonder how Linus feels about this. Nobody seems to be asking that particular question.

        I acknowledge the fact that the DMCA could be twisted to prosecute someone on these grounds, but that's about as likely as a meteor hitting my girlfriend and getting her pregnant.

        I've put up, so I guess I won't be shutting up...

    • Re:For God's sake (Score:2, Insightful)

      by Tony-A ( 29931 )
      It is being disclosed, just not in the good ole USA.
      This means that "foreign hackers" have free access to the information and that US sysadmins do not have access to the information.
      It's a stupid law that in this case puts American security at risk. Since we did it to ourselves, there is no reason to expect a brit to emperil himself to attempt to rescue us from our own stupidity.
  • I support Cox (Score:5, Insightful)

    by psicE ( 126646 ) on Sunday November 11, 2001 @09:44AM (#2550706) Homepage
    The United States hasn't been the land of the free since the 1960s, and the DMCA just puts us one step closer towards not having freedom of speech. If Alan Cox feels that he needs to block all Americans from seeing the Linux changelogs to make his point, so be it. It's not like he's blocking people who live in free countries from viewing the changelogs. And if the US repeals the DMCA and doesn't pass a similar law, Cox will open up the changelogs again - he believes in keeping them open but doesn't want to get arrested for it, unlike Microsoft who wants to keep them closed as a business strategy.
    • The EUCD - European Union Copyright Directive - has to be transposed to national law until December 22nd 2002. That means we'll also have a DMCA-like legislation in the near future.
    • Eeeh... please... so the civil rights movement changed nothing?
      The United States may have been the land of the free for YOU in the 1960s, but it sure as hell wasn't for everybody.

      Just because you guys now have some stupid laws, does not mean everything is worse than it used to be.
    • by mangu ( 126918 ) on Sunday November 11, 2001 @12:26PM (#2551034)
      The United States hasn't been the land of the free since the 1960s


      A debatable point, as the US Constitution Article XVIII, ratified in 1919, forbade the "manufacture, sale, or transportation of intoxicating liquors". This article was repealed in 1933, after prohibition proved its total uselessness in preventing alcohol consumption, but there are similar laws today prohibiting the use of several recreational drugs. The main effect of such prohibition is creating a strong incentive for organized crime. The prohibition is no obstacle to former drug users becoming presidents of the USA, for instance.


      As Robert Heinlein said: "I am free, no matter what rules surround me. If I find them tolerable, I tolerate them; If I find them too obnoxious, I break them. I am free because I know that I alone am responsible for everything I do" (The Moon is a Harsh Mistress, 1966).


      This doesn't mean that we should tolerate any such stupid laws as the DMCA or drug prohibition. Those laws have the very dangerous side effect of creating a large number of corrupt law enforcement officers. Corruption in law enforcement is, IMHO, a much greater danger to freedom.

      • offtopic but...

        It just struck me that they had to pass a CONSTITUTIONAL AMENDMENT in order to make liquor illegal, but for all the illegal drugs today just a law was passed. Seems like a case of reinterpretation of what freedoms are protected under the constitution. I'll have to look into it by seeing when the drug laws were passed and such, but it's an interesting topic.

        I'm starting to get very dissapointed in my US history as I learned in High School (I took mostly world history in college). They teach you about when the US got all these great freedoms but they don't teach you about when they were taken away again.
        • Think about it this way.
          You are trying to learn about the history of the US from the US in the US. What makes you think the US will be objective in presenting it's own history within it's own borders knowing full well that vast majority of the people will never look further.

          The best way to learn about any country is look outside of itself. Or to quote the butthole surfers "you never know just how you look in other peoples eyes."
          • for all the illegal drugs today just a law was passed

          Oh, that was easy. Cocaine was banned because of all the coked up niggers raping white women.

          This was the honest-to-god media propagated justification for banning cocaine. Opium and heroin went because of all the Chinese doping up and raping white women.

          If you find it hard to believe that Joe Voter bought these lurid "exposes", consider the media portrayal of the Taliban right now, and how quick we are to believe any story that gives us someone identifiably different to hate and fear, and how easily we pass laws on the back of that fear.

          And how many of us, in this, ahem, more enlightened age, even bother to question that portrayal, or look for the other side of the story?

        • It's not a reinterpretation of protected freedoms, but rather of available powers.

          As written, the Constitution provides the Federal government with very little power, except in a number of well-defined areas. However, there have been many areas in which "interstate commerce" (which a single clause allows the Federal government to regulate) has been used as an excuse to allow in influence. Does your business sell anything to out-of-state customers, or buy supplies from the same? Guess what -- the Federal government can now regulate what you do and how!

          It wasn't always like this, and there are those who'd put most governmental power back where it belongs -- with the states and the people. Take a close look at the Libertarian Party [lp.org] -- they're the strongest proponents of freedom I've seen yet.
  • And who exactly.... (Score:2, Interesting)

    by EvlPenguin ( 168738 )
    ...would prosocute the kernel developers as a result of full disclosure? I thought the DMCA's "circumvention" clauses only apply to the company/entity that made the product which is being exploited? I seriously doubt anyone on the kernel development team would satrt a lawsuit.

    Alan has done some great work. But he really needs to step off of his soap box for a few minutes.
    • by Anonymous Coward
      Dude. One of the worst aspects of the DMCA is that it makes violation a federal crime. No lawsuit is required.
      • One of the worst aspects of the DMCA is that it makes violation a federal crime. No lawsuit is required.


        This is completely false. It may indeed be a federal crime, but there is a lawsuit. The US Federal government is the ones that has to pursue the lawsuit.

        Dinivin
    • by RickHunter ( 103108 ) on Sunday November 11, 2001 @11:36AM (#2550895)

      I believe the suggested exchange would go something like this:

      • L33T H4X0R H finds Linux vulnerability mentioned in kernel changelog.
      • Knowing that many sites do not keep their kernels up-to-date for a variety of reasons, H creates an exploit for said vulnerability.
      • Big Company R has their servers broken into by H, and valuable "intellectual property" is stolen, including copyrighted materials and trade secrets.
      • Big Company R consults with its Lawyers.
      • Big Company R concludes that H is going to be too expensive to track down. The Lawyers, however, have a different target. The Linux changelog was a crucial component in a circumvention device intended to breach protections on R's valuable "intellectual property"!
      • Kernel Hacker A, who happens to be responsible for writing changelogs, visits America on a routine business trip.
      • Federal forces waiting for A grab him, throw him in jail, and leave him there for several months before trying him, convicting him under the DMCA, and leaving him there for several years.

      Now, while you may be eager to spend several years in Jail, Mr. Cox is not.

    • by pbryan ( 83482 ) <email@pbryan.net> on Sunday November 11, 2001 @12:14PM (#2550999) Homepage
      The DMCA cannot only applied in civil litigation; it can also be applied in a criminal prosecution. Case in point: Dmitry Sklyarov [eff.org].

      Dmitry was arrested by the FBI based on a "tip" they received from Adobe. Adobe withdrew their complaint, but that didn't stop the FBI. The FBI concluded that criminal law was being violated, and that Dmitry should be prosecuted.

      If all it takes is one relatively credible tipster to cause the arrest of Cox for violating the DMCA, then Cox's actions seem perfectly reasonable. If he were to visit the United States, he'd like to go home when he's done.
  • DMCA? (Score:2, Interesting)

    by autopr0n ( 534291 )
    How on earth could Linux security information be a violation of the DMCA? Linux is not a 'content protection system'. The DMCA dosn't say you can't hack, it only says you can't hack content protection.
    • Re:DMCA? (Score:5, Informative)

      by mocm ( 141920 ) on Sunday November 11, 2001 @10:04AM (#2550739)
      Of course, it is a content protection system. The file permissions protect the content of certain files to be read by certain users.
      So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
      a copyright violation case with the breaking of a content protection system covered under the DMCA.
      And guess whose fault is was for publishing the
      information in the changelog.
      Next time Alan Cox comes to the US, he is arrested
      and prosecuted under the DMCA.

      As ridiculous as the example is, it is possible.
      • Hrm. (Score:3, Insightful)

        by autopr0n ( 534291 )
        That's an interesting scenario, but I believe the content needs to be protected by the creator, not a user. So, if I perchance some MP3s, and someone hacked my account to grab them, That hack wouldn't be considered illegal under the DMCA.

        File permissions are really more for privacy then they are for IP control. And remember, judges are supposed to go by the spirit of the law, not necessarily the letter. Just because you could theoretically rig something up to be a content control mechanism, doesn't mean that the courts would look on them as such.

        And also, I don't believe that you can be convicted for circumventing your own technology, any more then you could be sued for violating the GPL on software you wrote (and own the copyright on).

        There needs to be a plaintiff after all.
        • Re:Hrm. (Score:3, Interesting)

          by Ami Ganguli ( 921 )
          That's an interesting scenario, but I believe the content needs to be protected by the creator, not a user. So, if I perchance some MP3s, and someone hacked my account to grab them, That hack wouldn't be considered illegal under the DMCA.

          I'm not sure that's true, but even if it is I don't see how it makes a difference. The most likely scenario is a content creator uses his network drive while creating the content. Somebody else who has access to the machine hacks it and steals the content.

          And remember, judges are supposed to go by the spirit of the law, not necessarily the letter.

          I'm not sure that's really true either, but by the time the case gets to the courts the poor programmer has already spent several months in jail. Think about this for a second. Why should a U.K. citizen risk getting embroiled in the American legal system? He doesn't live there, vote there, or have any particular interest in becoming a martyr like Dimitri. Would you get involved in human rights protests in China while on vacation there? I doubt it. You can sympathize, but in the end it's not your battle. It's the same with Alan.

        • Re:Hrm. (Score:2, Informative)

          That's an interesting scenario, but I believe the content needs to be protected by the creator, not a user.

          And nobody using Linux ever creates any valuable, original content? Gosh, an author writing his new bestselling novel on a multi-user Linux system may be surprised to hear that. So might the programmers of the "next big thing" who are also writing their new whiz-bang software on Linux systems and collaborating over the Internet.
  • by Marcus Brody ( 320463 ) on Sunday November 11, 2001 @09:57AM (#2550726) Homepage
    This is a pretty good discussion of the whole debacle for The register [theregister.co.uk].
    No, Alan Cox is not pro non-disclosure. But it does seem to have been an unintended side affect of his swipe at the DMCA
  • by imrdkl ( 302224 ) on Sunday November 11, 2001 @09:57AM (#2550727) Homepage Journal
    I think I understand the reasoning behind this claim, that Alan Cox could have opened a Pandora's Box, so to speak. Whether in jest or as a form of protest, his actions were widely publicized, and if it starts a trend, maybe there is a problem. The eventual changelog was, however, posted here on /., and I somehow doubt that such actions will be taken again, at least not in protest.

    The international nature of Linux development makes it a potential platform for protest and discontent, but at the same time, developers can and do seem to recognize the importance of their role in the endeavor. They should be excused for occasionally "acting out", imho.

    Politicians aren't made overnight.

    • I think I understand the reasoning behind this claim, that Alan Cox could have opened a Pandora's Box, so to speak. Whether in jest or as a form of protest, his actions were widely publicized, and if it starts a trend, maybe there is a problem.

      There is already a problem. It's called the DMCA. Alan Cox is neither responsible for the existence of the problem or the consequences of the said problem as he's not a US citizen and therefore gets no "say" in making laws there.
      • And just how is this supposed to make Linus feel right now? He's our guest, for crying out loud. You think he's gonna want to hang around much longer in the US if we started arbitrarily prosecuting folks who make Linux possible? And if Linus left, how would that be in our interest?

        Perhaps Mr. Cox is simply speaking out for the little guy. That's ok, but my government is gonna need some time and support to work out the fine distinctions of hat colors now that the information age is upon them. Maybe there aren't just two, after all.

        In fact, the more I think about this, the more I am sure that Mr. Cox thought very carefully about this before doing it. But Linux should transcend these concerns. And imho, should not be used as a political platform at this time.

    • I think I understand the reasoning behind this claim, that Alan Cox could have opened a Pandora's Box, so to speak.

      I think not! Pandora's Box [microsoft.com] is a Microsoft product! It would be really amusing if Cox opened it.

      Of course, Pandora's Box really describes my thoughts of NT...
  • diff the code? (Score:4, Insightful)

    by peterdaly ( 123554 ) <.moc.mocten.xi. .ta. .yladetep.> on Sunday November 11, 2001 @10:02AM (#2550732)
    Am I totally missing something? If you really want to know what was changed (if not why), can't you just diff the code of the two versions?

    I don't think we really need to know HOW the bad code could be exploited...the smart people should be able to figure that out for themselves by looking at the code. Why help the script kiddies. "Fixed some major security flaws" type message is good enough for me as a user.

    -Pete
    • Re:diff the code? (Score:3, Informative)

      by trilucid ( 515316 )

      There are problems with this line of reasoning, as I will attempt to describe.

      Yes, we could all just diff the code, and we could even set up a secondary website(s) to discuss the impact of the changes we find. However, this is a very inefficient mode of operation when it comes to something as critical as security.

      Your comment about "helping the script kiddies" is disturbing in that it sounds way too close to Microsoft's "plea to the security community". That's just no good; I want to see the full details of other peoples' reasoning on these things so I'll be better able to intelligently digest and evaluate the information myself. I'm not an outstanding C coder (although I do a lot of Perl and C), so I could easily miss important things.

      The other trouble with this is that since this deals with open source software, the "user" has the immediate option of contributing in a meaningful way to the project. Unlike traditional "closed source" models, the average user (at least currently) of high security impact open source software is likely to have a few more than average clues on security topics.

      If you make it harder for these people (read: us) to get at the requisite information, you're not only putting security at risk; you're also defeating a large part of the open source / free software philosophy. Nowhere in the GPL or any other similar license that I'm aware of does it say that changelogs are subject to geographic censorship. Now, IANAL, but I also don't think the DMCA really has anything to do with this, from my following of other threads here related to all that mess.

      Just my thoughts, nothing more. Thank you.

    • by grammar nazi ( 197303 ) on Sunday November 11, 2001 @10:38AM (#2550781) Journal
      WATCH WHAT YOU SAY!!

      If you keep speaking like that, peterdaly, then diff might become a circumvention device under the DMCA and thus, will be banned in the United States.

      If you want to keep various GNU Tools such as diff, cat, cp, and ghex, then you have to hide the fact that they are usefull for anything other than taking up space. Otherwise we risk them becoming circumvention devices under the DMCA.

    • Am I totally missing something? If you really want to know what was changed (if not why), can't you just diff the code of the two versions?
      Yes, but that's beyond the capabilities of the average Slashdot poster. Even if you know the vulnerability type and the affected component, it is not immediately obvious if these -/+ lines you are staring at fix a security bug or a simple performance optimization.

      On the other hand, most people couldn't care less which has been changed in the kernel. When did kernel ChangeLogs show up? In 1999? Or in 2000? It was pretty late anyway, and I remember that Felix von Leitner was flamed for suggesting them a few years ago, so that you could follow changes to internal interfaces more easily. Of course, ChangeLogs are a nearly a must-have documentation tool, but Linux kernel development is possible without them. (In fact, Linux kernel development deliberately doesn't use a few tools many people consider essential for (operating system development).

    • Re:diff the code? (Score:3, Insightful)

      by GauteL ( 29207 )
      Security exploits are not always blindingly obvious, and how would you know exactly what parts of the patches were security fixes, and what wasn't?
      Even if you can spot these easily, there is still a lot more work involved in going through diffs, than just being told what was fixed.
  • Come on, how can you not understat that that comment from Alan Cox was a protest (though using some british sense of humour?).

    There is full disclosure. Just look the diff.

    I can't understand how people can claim to understand free software development and then have these claims.

    Hugs, Cyclops
    • There is full disclosure. Just look the diff.[sic]

      I'm not a kernel hacker and I'm also not that much of a programmer. When a new version of the kernel comes out and I want to determine how it effects me I'm probably not going to step up and diff the source tree. If one thing had changed then I could probably figure out what had changed, but if 30 or 40 things had been fixed, diff's arent going to make alot of sense to someone who isn't familar with the code. Diffs are not going to make no sense to someone who doesn't program for a living.

      so for a moron like me, who just wants to _use_ linux, changelogs are more useful (if not necessary).
      • Actually, my friend, when I was running the kernel 2.2.x series instead of downloading the Changelog I would download the patch and quickly zless it to see whether any of the changes seemed to affect me much, I've got lazy recently and skim the Changelogs before even downloading patches.

        The Patches are already a diff to the source tree, so that job is already done for you. I assume that you're running a vanilla kernel, of course.
  • by Karpe ( 1147 ) on Sunday November 11, 2001 @10:12AM (#2550748) Homepage
    ...he just doesn not want to go to jail.

    The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development. You cannot think about computer security without considering the legal aspects. Of course full disclosure would be better, but at what price?
    Cox could *actually* go to jail in his next visist to the USA in case he did it. (Think not? Dimitry also didn't believe it could happen.) I am sure you can get the information of what was changed in the kernel by other means (linux-kernel?), but it is very important to be registered in the log that we are being limited by the DMCA. I don't know, perhaps in a nicer future someone will look back at these logs and ask why he didn't describe the problems, and then they will remember how the abuse of corporate power has changed law in a uncostitutional and limiting way.

    We are not talking about boys playing in a BBS, we are talking about real men with real families, people important in our community, that could go to jail because of stupid laws in the lack of this responsability.
    • The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development.

      So, slightly tongue-in-cheek, is this what Gandhi or Thoreau would call civil obedience?

  • by GC ( 19160 ) <giles@coochey.net> on Sunday November 11, 2001 @10:15AM (#2550749)
    This is only being restricted to the US. The rest of us all have this information.

    If you really want to see it, click here:

    kernel-2.2.20.log [homeip.net]

    kernel-2.2.20pre11.log [homeip.net]

    I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.
    • OK, I give. What's the bit that's worrying Alan? Nothing (immediately) leapt out, poked me in the eye, and said "This is information that enables someone to bypass the technical protection on a copyrighted work."

  • Take the Source from the Formver Version, and the Current One, compare the two, and note all the changes..... The information is obviously there, its just that Alan just isn't giving us the spoon anymore...
  • by Billly Gates ( 198444 ) on Sunday November 11, 2001 @10:21AM (#2550757) Journal
    Is linux being used to hack descrambler boxes? Is it being used to decrypt dvd's? What exactly does Linux do? THe answer is that linux is a kernel that runs on pc hardware. There is nothing illegal or controversal about it. Unless you use BSD of course. :-) But my point is that a changelog is not circumvention device. It doesn't actually do anything. The case with the adobe and the russian programmer is different. He showed how to illegally open sensitve and copy-righted oops I mean controlled works without adobe's permission. The only person who can sue alan is linus. I don't think he will do this. Anyway alan did not reverse engineer linux anyway. He just read about security related issues and manually fixed the source. The gpl allows this. Since linux is only used to boot a pc and not circumvent a copyright there is nothing even Linus can do. In other words Alan is full of shit.

  • Right... (Score:2, Insightful)

    by carm$y$ ( 532675 )
    From the article:
    Although commercial tools are available that scan for vulnerabilities, the lag time between development of the exploit and the next periodic update to security scanning packages is too long for many enterprises.

    Not to mention that the commercial tools usually cost $$$, and have their own problems and shortcomings; the alternative being to download the exploit from bugtraq and try it yourself against your machines.
    From my experience - I work as a unix sysadmin for a small-to-medium software company - waiting for vendor updates (any vendor, from Sun to M$) is akin to giving up... blocking the traffic in the firewall is to survive. You have to know what to block, obviously.
    So, IMHO there is nothing like first-hand experiencing the exploits. I know the script-kiddies say the same thing. :) But what's the alternative?
  • by pwagland ( 472537 ) on Sunday November 11, 2001 @10:41AM (#2550789) Journal
    First, hasn't it [slashdot.org] already been discussed?

    Second, why is everyone here so upset? Oh, hang on. This affects, um who was it? Oh thats right, the Americans. We really shouldn't upset them should we? Most of the comments that I have seen modded up so far basically say one of the following things:

    1. Alan is chickenshit for not wishing to put himself at risk of prosecution. If it was me, I would go to jail, that way I wouldn't piss off the Americans!
    2. Those damn British! They are sooooo jealous that we are more powerful than them now. Why don't they move past the jealousy and just give use the changelogs!
    3. this is at least half reasonable They don't really want to prosecute "reasonable" people. They are just after the ones that piss off big business. What's wrong with that? Just give us our changelogs!

    Well, sadly:

    1. This is not a law that you can just ignore. It will not just go away. It is not clear exactly who can be prosecuted, or for what.
    2. The only way that laws go away is for someone, or some large group, to say "this is stupid". Lets change it. Whinging about a missing changelog does not do that. Raising awareness may or may not do that, but it can't really hurt.

    Hands up all of the americans who have written their senator, state and federal. Hands up to all of those who have given financial, or other, support to movements who are trying to repeal the DMCA. Hands up all those who would just rather whinge when that law inconveniences them. Hmm. Thought so, on that last question the number of hands went up by 10.

    If you are really so cut up about it, figure out what has changed (it isn't really that hard, it has been talked about in the previous article) and post it yourself. Then to prove to Alan what a fool he is, walk down to the DA's office and get a written statement saying that they will not prosecute you for releasing that information. Make entirely clear to them that you have released information that could help people circumvent rights management, and get the DA to sign saying that they would not prosecute you for releasing this information.

    Personally, I don't think that this will happen, since most people would rather make Alan the bad guy over taking any personal risk. I dare you to prove me wrong.

    • ... is beginning to turn into a refuge for lazy people and bored teenagers.
      I mean, on the one hand you've got a bunch of people crying that this assists firms like Microsoft. On the other, you've got users who copy verbatim writings they've already posted at other weblogs.
      I'm beginning to think even reading comments (1 or below) at Slashdot is a waste of time. What do you think?
  • by Kirkoff ( 143587 ) on Sunday November 11, 2001 @10:45AM (#2550791)
    Alan Cox could just use the Linux Comment System(TM). You know, how Linus will implement a whole new VM and the changelog states "VM Fixes." Using Linus's model for this, Alan Cox would definatly just state "Fixed security issues" for most any bug. Heck, he could even put it in the "Random Fixes" catchall. Then all Alan has to do is run around saying to people stuff like "I don't really care about Micro*cough* - The DMCA. It bores me."

    Maybe we would all do better following Linus's methods. Let's say you need to turn in an Essay on Lord Of The Flys, it's simple:
    • Essay Pre-1 "Plane crash"
    • Essay Pre-2 "Establish democrasy"
    • Essay Pre-2 "formed resitance"
    • Essay Pre-3 "War - people died"
    • Essay Pre-4 "Ship arrives restored grownups"


    As you can see, this eases your everyday life. It gets rid of the unintended problems that spring from caring about anything but the task at hand.

    --Josh
  • What if there is some serious kernel security hole in pre-2.2.20 and 2.0.x kernels affecting Bastille, RedHat up to 7.0 and EVERY OTHER linux system having a pre-2.2.20 kernel installed? What the heck is Alan hiding?
  • by Bake ( 2609 ) on Sunday November 11, 2001 @10:54AM (#2550809) Homepage
    Is why people think software with its encryption is any different from other products.

    Is Ford or Firestone sueing the group that discovered the flaw when you put an Explorer on Firestone tires?
    Are lockmakers sueing those that pick locks?

    Why do software companies think they're so "special" in that regard?

    Isn't there a consumers' association in the US?
    If there is, I don't know how they act, but in many countries this sort of association tries to keep regular companies on their toes by regularly testing their products and giving them a thumbs-up or thumbs-down verdict. Also if consumers are having problems with a company due to a breach of contract or bad sale or whatever, the association has a bunch of lawyers on their payroll who are willing to sue.
    Wouldn't it just be a great idea if encryption-breakers could team up with that kind of organisation? I mean, it is of course in the consumer's interest that this sort of work goes on.
    • The DMCA isn't about encryption.
      It's also not about flaws in tires, or bugs in software.

      It's about technological systems that protect copyrighted works.
  • ...place to detail security changes. Isn't the purpose of the Changelog to provide a brief at-a-glance notification of changes? After all you don't want the 10k of gorey details about why ext3 driver was patched nor should there probably be security alerts. Instead how about make another document or document directory in the Documentation that details stuff like this instead of harping on maintainers of Changelog?
  • by jneves ( 448063 ) on Sunday November 11, 2001 @11:00AM (#2550821) Homepage
    The article says Cox is wrong because he shoould stand by full disclosure. While I know that Alan did this as a protest, I don't understand the reasoning of those who "attack" his position. Why should somebody like Alan risk to go to jail for disclosing information that can facilitate the circumvention of filesystem's permissions ?

    We all know that that is illegal in the USA, thanks to the DMCA, and in a little over one year, will also be illegal in most of Europe, thanks to the EUCD - European Union Copyright Directive.

    My question is: Why should he take the risk ? Until know, Sklyarov is still in jail, Felten hasn't got the courts permission to present his article and I still can't get a DVD player with any GNU/Linux distribution. Isn't this enough to make one think twice before entering the security field ?

  • M.I.B's (Score:2, Funny)

    by GISboy ( 533907 )
    Elias Levy wrote an eloquent rebuttal to the Microsoft essay. But I'd like to zero on in one particularly egregious claim Culp makes in his argument: that an administrator "doesn't need to know how a vulnerability works in order to understand how to protect against it."

    The M.I.B's (Microsofties In Black)would be proud.

    Just claim "you don't need to know".

    And the 'Little Flashie Thingies' don't hurt either.
  • by tannhaus ( 152710 )
    Alan Cox is definately beginning to irritate me in the last few months. First, he won't change over the VM, then he won't disclose the changelogs. He finally gave in on the VM.

    Mr. Cox, do you adhere to all the rules of the U.S. as a british citizen? I suppose you keep a library of U.S. lawbooks at your house so you won't violate any of our laws while in your home country.

    The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.

    The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention. This is simply ridiculous. You can't be put in jail for publishing changelogs to your own code.

    Oh my god...last week I tried to hack my own linux box! I'm a fugitive from justice!

    Personally, I vote Alan Cox finds him a nice little therapist somewhere in merry old England and tries to get some help.
    • Mr. Cox, do you adhere to all the rules of the U.S. as a british citizen? I suppose you keep a library of U.S. lawbooks at your house so you won't violate any of our laws while in your home country.

      This is most definitely not the point. Alan Cox is making a protest against the DMCA. He's chosen a public forum, but not big enough to actually inconvenience a lot of people too much (witness mirrors).

      Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.

      Nope! He did it in Russia, came over to a convention to promote the product, got arrested by Adobe^H^H^H^H^Hthe FBI there.

    • by alienmole ( 15522 ) on Sunday November 11, 2001 @02:01PM (#2551253)
      The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil.

      Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.

      The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.

      Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.

      This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.

      If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.

      Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.

  • by z19752002 ( 533882 ) on Sunday November 11, 2001 @11:06AM (#2550838)

    Everything a person needs to know to circumvent access controls is in the operating system source code. Therefore, publishing source code to an OS is a violation of the DMCA.

  • by Anonymous Coward on Sunday November 11, 2001 @11:39AM (#2550907)
    OK people, the Linux community has a great news article summary site called Linuxtoday [linuxtoday.com].

    Point being, a couple of days ago there was an article linked there to Newsforge with an interview with Alan Cox about his views on the DMCA and these changelogs [newsforge.com].

    For the lazy, the essential point is that AC has gotten legal advice that he very well could be charged in the US for posting the vulnerabilities based on an interpretation of the DMCA, but that no "sane" US court would convict him. However, he does not want to spend 6 months in the US to go through the process.

    So, basically, he's making a political point about stupid laws. He's welcome to if that what he wants. As others have said, it's not like most people interested in kernel changes can't use diff.

    Glenn

  • Fight bad laws like DMCA. Join the EFF [eff.org]. It's that simple.
  • by Bob Clary ( 224900 ) on Sunday November 11, 2001 @12:30PM (#2551041)

    If the kernel change logs can be used to provide information to hackers that would result in criminal liability, does not the entire kernel source provide the same information?

    Doesn't that imply that the entire Linux Kernel Source should be closed and only Binaries provided?

    If Alan Cox is allowed to use Linux as his own political soapbox, then Linux itself is history. Where the hell is Linus?

      • If Alan Cox is allowed to use Linux as his own political soapbox, then Linux itself is history. Where the hell is Linus?

      Linus is in the USA, and so will have to be very, very careful what he says and does for the forseeable future.

      You want to bet that Microsoft wouldn't pull an Adobe and have their Enforcement Division (aka the US legislature) lock up Linus if they thought the benefits would outweigh the costs? It's unthinkable, you say? Why is it unthinkable? All Microsoft would have to do would be to fulfill their patriotic duty to report an un-American protection control bypass in the Linux kernel, then Uncle Sam will do the dirty work for them.

      What's the cost to Microsoft of doing that? Bad publicity for them, and good publicity for Linux. What's the benefit? Tie up Linus in court action for years. Have his passport removed. Restrict his ability to travel. As best, have him jailed on remand. The damage that would do to the Linux kernel would be real and immediate. GNU/Linux needs to take desktops from Microsoft now, before .NET gains mindshare, and any kernel splits, delays or even more FUD would give .NET a free run.

      Do you really think there isn't a cadre of Microsoft execs and lawyers discussing this right now? Not in terms of right and wrong, just in terms of damage and payoff.

  • by SMN ( 33356 ) on Sunday November 11, 2001 @01:27PM (#2551169)
    This is liable to be score (-1, Unpopular Opinion), but it needs to be said:

    If Alan Cox really wants to make a point, he should put his money where his mouth is and LET himself be open to a suit under the DMCA. His current approach, hiding the changelogs, does nothing to stop the DMCA, and by submitting to it he's giving its backers exactly what they want.

    Laws don't get changed if nobody has the guts to challenge them. If Alan wants to get his point across, he should let himself be sued (not that it would actually happen, because I doubt any company really gives a damn what he puts in his changelog). Then he, like Felten and Sklyarov, has a great case to challenge the law with.

    Instead, this "spectacle" seems to be Alan submitting to the DMCA, then trying to attract as much attention as possible to his crying about it. I have no pity for this, and I hope the rest of his audience feels the same.

    • We already have some precedents (in Felten and Sklyarov) about how "people who violate the DMCA get screwed." We don't need more of those, at least not at the expense of good people. The general public probably looks at these two cases as you'd expect them to: "Well, gee, they did break the law, so I guess they had it coming."

      Alan is taking a different approach. He's not trying to show the world that breaking the law will get you in trouble. He's trying to show the world that people who obey the law are the ones being hampered. Instead of violating the law (knowingly or not) and then crying foul when he gets charged, he's making the point that complying with the DMCA interferes with legitimate business. It's a subtle difference, but IMO it's a better precedent. I think people will be more apt to see the DMCA as a bad law once they understand that it's the law-abiding citizens who are being effectively punished.

      To quote a poster from the original thread on this issue, the DMCA is the only law so stupid that it must be fought through civil obedience!

      Shaun
      • He's not trying to show the world that breaking the law will get you in trouble. He's trying to show the world that people who obey the law are the ones being hampered.


        He's not showing the world anything; he's only telling those of us who follow Linux and Slashdot. He's simply "preaching to the choir."



        Furthermore, even if this was publicised, it would hardly seem like the case of a poor academic being wronged by and unjust law -- and that's because it isn't. It's a British hacker with no legal expertise stretching this American law so that he can cry out that he was wronged.



        You and I and whoever else is reading this know that what he's saying might not be that much of a stretch, and that there is a slight chance this could get him in trouble. But he won't be earning any sympathy from anyone other than us unless that actually happens, and I think it's very unlikely that anyone would ever try to apply the DMCA against him in that manner anyway.



        (There goes my karma. Kill the messenger =)

      • He's not trying to show the world that breaking the law will get you in trouble. He's trying to show the world that people who obey the law are the ones being hampered
        He's not showing the world anything; he's only telling those of us who follow Linux and Slashdot. He's simply "preaching to the choir."

        Furthermore, even if this was publicised, it would hardly seem like the case of a poor academic being wronged by and unjust law -- and that's because it isn't. It's a British hacker with no legal expertise stretching this American law so that he can cry out that he was wronged.

        You and I and whoever else is reading this know that what he's saying might not be that much of a stretch, and that there is a slight chance this could get him in trouble. But he won't be earning any sympathy from anyone other than us unless that actually happens, and I think it's very unlikely that anyone would ever try to apply the DMCA against him in that manner anyway.

        (There goes my karma. Kill the messenger =)

        • Actually, Alan isn't being wronged and isn't whining.

          The DMCA is affecting those who are using Linux except Alan Cox and other non-US developers. Its the Americans who should be complaining about how this has affected them.

          The US has this habit of charging foreigners with breaking these new laws and getting them extradited or tricking them into coming onto american soil when necessary.
      • "Alan is taking a different approach. He's not trying to show the world that breaking the law will get you in trouble. He's trying to show the world that people who obey the law are the ones being hampered."

        I see. So I should really regard the Changelog as a joke and diff the sources for myself, should I? *bzzzt*, I have real live servers to maintain. If I don't get to know what I'm upgrading and for why, I won't use linux on them at all.

        Alan, if you're reading, remember that you're in the UK, not the US, and don't pander to their damn silly DMCA "law" either as a joke or semi-seriously (I know kernel.org is in the US...) again.
        • You'll just have to complain to your lawmakers about the hampering you're under because of the DMCA as later posters have seemingly done.

          I live in Canada and have sent in my pleas for us to not have a rehashed DMCA introduced here already.
    • First, it's criminal prosecution, not just a suit. Second, why is Alan obliged to become a martyr to an unjust law in a foreign country? Did you travel to Afghanistan and commit adultery so you could be stoned to death, thereby convincing the Afghanis of the injustice of sharia? Better yet, why don't you go to England and violate the RIP law by refusing to provide decryption keys to a block of data the police want. Maybe when you're living in a British prison Alan Cox will be inspired to come live in an American prison.
  • Full Changelog (Score:2, Informative)

    by Anonymous Coward
    Here's the full uncensored changelog for Linux 2.2.20:

    2.2.20 final
    o Final fixes for the computone driver (Michael Warfield)

    2.2.20pre12
    o Update davicom driver to fix oopses (Sten Wang)
    o Updated PC300 driver - fix SCA-II DMA bugs
    (Daniela P. R. Magri Squassoni)
    o Make syn cookies per socket (Andi Kleen)
    o Computone driver fixes for fast PC's (Michael Warfield)
    | Follow on devfs patches didnt apply so dropped
    o DAC960 update (Leonard Zubkoff)

    2.2.20pre11
    o Security fixes
    - Quota buffer overrun , possibly locally (Solar Designer)
    exploitable
    - Ptrace race - local root exploit (Rafal Wojtczuk,
    - Symlink local denial of service attack Solar Designer,
    fix Linus Torvalds)
    - Sparc exec fixups (Solar Designer)
    o Sparc updates (Dave Miller)
    o Add escaped usb hot plug config item (Ryan Maple)
    o Fix eepro10 driver problems (Aris)
    o Make request_module return match 2.4 (David Woodhouse)
    o Update SiS900 driver (Hui-Fen Hsu)
    o Update ver_linux to match 2.4 (Steven Cole)
    o Final isdn fixups for 2.2 (Kai Germaschewski)
    o scsi tape fixes from 2.4 (Kai Mäkisara)
    o Update credits entry (Henrik Storner)
    o Fix scc driver hang case (Jeroen)
    o Update credits entry (Dave Jones)
    o Update FAT documentation (Hirokazu Nomoto)
    o Small net tweaks (Dave Miller)
    o Fix cs89xx abuse of skb->len (Kapr Johnik)

    2.2.20pre10
    o Update the gdth driver (Achim Leubner)
    o Fix prelink elf loading in 2.2 (Jakub Jelinek)
    o 2.2 lockd fixes when talking to HP/UX (Trond Myklebust)
    o 3ware driver update (Adam Radford)
    o hysdn driver update (Kai Germaschewski)
    o Backport via rhine fixes (Dennis Bjorklund)
    o NFS client fixes (Trond Myklebust, Ion Badulescu,
    Jim Castleberry, Crag I Hagan.
    Adrian Drzewiecki)
    o Blacklist TEAC PD-1 to single lun (Wojtek Pilorz)
    o Fix null request_mode return (David Woodhouse)
    o Update credits entry (Fernando Fuganti)
    o Fix sparc build with newer binutils (Andreas Jaeger)
    o Starfire update (Ion Badulescu)
    o Remove dead USB files (Greg Kroah-Hartmann)
    o Fix isdn mppp crash case (Kai Germaschewski)
    o Fix eicon driver (Kai Germaschewski)
    o More pci idents (Andreas Tobler)
    o Typo fix (Eli Carter)
    o Remove ^M's from some data files (Greg Kroah-Hartmann)
    o 64bit cleanups for isdn (Kai Germaschewski)
    o Update isdn certificates (Kai Germaschewski)
    o Mac update for sysrq (Ben Herrenschmidt)

    2.2.20pre9
    o Document ip_always_defrag in proc.txt (Brett Eldrige)
    o Update S/390 asm for newer gcc (Ulrich Weigand
    o Update S/390 documentation Carsten Otte
    o Update s390 dump too and co)
    o Update s/390 dasd to match 2.4
    o Backport s/390 tape driver from 2.4
    o FDDI bits for s/390
    o Updates for newer pmac laptops (Tom Rini)
    o AMD760MP support (Johannes Erdfelt)
    o Fix PPC oops on media change (Tom Rini)
    o Fix some weird but valid input combinations (Tom Rini)
    on PPC
    o Add additional checks to irc dcc masquerade (Juanjo Ciarlante,
    Michal Zalewski)
    o Update 2.2 ISDN maintainer (Kai Germaschewski)
    o Fix 3c505 with > 16Mb of RAM (Paul)
    o Bring USB into sync with 2.4.7 (Greg Kroah-Hartmann)

    2.2.20pre8
    o Merge DRM fixes from 2.4.7 tree (me)
    o Merge sbpcd fixes from 2.4.7 tree
    o Merge moxa buffer length check
    o Merge bttv clip length check
    o Merge aha2920 shared irq from 2.4.7 tree
    o Merge MTWEOF fix from 2.4.6 tree
    o Merge serverworks AGP from 2.4.6 tree
    o Merge sbc60xxx watchdog fixes from 2.4.6
    o Merge lapbether fixes from 2.4.6
    o Merge bpqether fixes from 2.4.6
    o Merge scc fixes from 2.4.6
    o Merge lmc memory leak fixes from 2.4.6
    o Merge sm_wss fixes from 2.4.6
    o Resync AGP support with 2.4.6
    o Merge epca fixes from 2.4.5
    o Merge riscom8 fixes from 2.4.5
    o Merge softdog fixes from 2.4.5
    o Merge specialix fixes from 2.4.5
    o Merge wdt/wdt_pci fixes from 2.4.5
    o ISDN cisco hdlc fixes (Kai Germaschewski)
    o ISDN timer fixes (Kai Germaschewski)
    o isdn minor control change backport (Kai Germaschewski)
    o Backport ELCR MP 1.1 config/PCI routing stuff (John William)
    o Backport isdn ppp fixes from 2.4 (Kai Germaschewski)
    o Backport isdn_tty fixes from 2.4 (Kai Germaschewski)
    o eicon cleanups (Armin Schindler)
    | Armin can you double check the clashes were ok
    o Fix an ntfs oops (Anton Altaparmakov)
    o Fix arp null neighbour buglet (Dave Miller)
    o Update sparc version strings, pci fixups (Dave Miller)
    o Define CONFIG_X86 in 2.2 as well as 2.4 (Herbert Xu)
    o Configure.help cleanups (Steven Cole)
    o Add MODE_SELECT_10 to qlogic fc table (Jeff Andre)
    o Remove dead oldproc variable (Dave Miller)
    o Update starfire driver for 2.2 (Ion Badulescu)
    o 8139too driver update (Jens David)
    o Assorted race fixes for binfmt loaders (Al Viro)
    o Update Alpha support for older boxes (Jay Estabrook)
    o ISDN bsdcomp/ppp compression fixes (Kai Germaschewski)

    2.2.20pre7
    o Merge rose buffer management fixes (Jean-Paul Roubelat)
    o Configure.help updates (Steven Cole)
    o Add Steven Cole to credits (Steven Cole)
    o Update kbuild list info (Michael Chastain)
    o Fix slab.c doc typo (Piotr Kasprzyk)
    o Lengthen parport probe timeout (Jean-Luc Coulon)
    o Fix vm86 cleanup (Stas Sergeev)
    o Fix 8139too build bug (Jürgen Zimmermann)
    o Fix slow 8139too performance (Oleg Makarenko)
    o Sparc64 exec fixes (Solar Designer)

    2.2.20pre6
    o Merge all the pending ISDN updates (Kai Germaschewski)
    | These are sizable changes and want a good testing
    o Fix sg deadlock bug as per 2.4 (Douglas Gilbert)
    o Count socket/pipe in quota inode use (Paul Menage)
    o Fix some missing configuration help texts (Steven Cole)
    o Fix Rik van Riel's credits entry (Rik van Riel)
    o Mark xtime as volatile in extern definition (various people)
    o Fix open error return checks (Andries Brouwer)

    2.2.20pre5
    o Fix a patch generation error, replaces 2.2.20pre4 which is
    wrong on ad1848

    2.2.20pre4
    o Fix small corruption bug in 82596 (Andries Brouwer)
    o Fix usb printer probing (Pete Zaitcev)
    o Fix swapon/procfs race (Paul Menage)
    o Handle ide dma bug in the CS5530 (Mark Lord)
    o Backport 2.4 ipv6 neighbour discovery changes (Dave Miller)
    o FIx sock_wmalloc error handling (Dave Miller)
    o Enter quickack mode for out of window TCP data (Andi Kleen)
    o Fix Established v SYN-ACK TCP state error (Alexey Kuznetsov)
    o Sparc updates, ptrace changes etc (Dave Miller)
    o Fix wrong printk in vdolive masq (Keitaro Yosimura)
    o Fix core dump handling bugs in 2.2 (Al Viro)
    o Update hdlc and synclink drivers (Paul Fulghum)
    o Update netlink help texts (Magnus Damm)
    o Fix rtl8139 keeping files open (Andrew Morton)
    o Further sk98 driver updates. fix wrong license (Mirko Lindner)
    text in files
    o Jonathan Woithe has moved (Jonathan Woithe)
    o Update cpqarray driver (Charles White)
    o Update cciss driver (Charles White)
    o Don't delete directories on an fs that reports (Ingo Oeser)
    then 0 size when doing distclean
    o Add support for the 2.4 boot extensions to 2.2 (H Peter Anvin)
    o Fix nfs cache locking corruption on SMP (Craig Hagan)
    o Add missing check to cdrom readaudio ioctl (Jani Jaakkola)
    o Fix refclock build with newer gcc (Jari Ruusu)
    o koi8-r fixes (Andy Rysin)
    o Spelling fixes for documentation (Andries Brouwer)

    2.2.20pre3
    o FPU/ptrace corruption fixes (Victor Zandy)
    o Resync belkin usb serial with 2.4 (Greg Kroah-Hartmann)
    o Resync digiport usb serial with 2.4 (Greg Kroah-Hartmann)
    o Rsync empeg usb serial with 2.4 (Greg Kroah-Hartmann)
    o Resync ftdi_sio against 2.4 (Greg Kroah-Hartmann)
    o Bring keyscan usb back into line with 2.4 (Greg Kroah-Hartmann)
    o Resync keyspan_pda usb with 2.4 (Greg Kroah-Hartmann)
    o Resync omninet usb with 2.4.5 (Greg Kroah-Hartmann)
    o Resync usb-serial driver with 2.4.5 (Greg Kroah-Hartmann)
    o Resync visor usb driver with 2.4.5 (Greg Kroah-Hartmann)
    o Rsync whiteheat driver with 2.4.5 (Greg Kroah-Hartmann)
    o Add edgeport USB serial (Greg Kroah-Hartmann)
    o Add mct_u232 USB serial (Greg Kroah-Hartmann)
    o Update usb storage device list (Stas Bekman, Kaz Sasayma)
    o Bring usb acm driver into line with 2.4.5 (Greg Kroah-Hartmann)
    o Bring bluetooth driver into line with 2.4.5 (Greg Kroah-Hartmann)
    o Bring dabusb driver into line with 2.4.5 (Greg Kroah-Hartmann)
    o Bring usb dc2xx driver into line with 2.4.5 (Greg Kroah-Hartmann)
    o Bring mdc800 usb driver into line with 2.4.5 (Greg Kroah-Hartmann)
    o Bring rio driver into line with 2.4.5 (Greg Kroah-Hartmann)
    o Bring USB scanner drivers into line with 2.4.5 (Greg Kroah-Hartmann)
    o Update ov511 driver to match 2.4.5 (Greg Kroah-Hartmann)
    o Update PCIIOC ioctls (esp for sparc) (Dave Miller)
    o General sparc bugfixes (Dave Miller)
    o Fix possible oops in fbmem ioctls (Dave Miller)
    o Fix reboot/halt bug on "Alcor" Alpha boxes (Tom Vier)
    o Update osst driver (Willem Riede)
    o Fix syncppp negotiation bug (Bob Dunlop)
    o SMBfs bug fixes from 2.4 series (Urban Widmark)
    o 3ware IDE raid driver updates (Adam Radford)
    o Fix incorrect use of bitops on non long types (Dave Miller)
    o Fix reboot/halt bug on 'Miata' Alpha boxes (Tom Vier)
    o Update Tim Waugh's contact info (Tim Waugh)
    o Add TIOCGSERIAL to sun serial on PCI sparc32 (Lars Kellogg-Stedman)
    o ov511 check user data more carefully (Marc McClelland)
    o Fix netif_wake_queue compatibility macro (Andi Kleen)

    2.2.20pre2
    o Fix ip_decrease_ttl as per 2.4 (Dave Miller)
    o Fix tcp retransmit state bug (Alexey Kuznetsov)
    o Fix a few obscure sparc tree bugs (Dave Miller)
    o Fix fb /proc bug and OF fb name size bug (Segher Boessenkool)
    o Fix complie with CONFIG_INTEL_RNG=y (Andrzej Krzysztofowicz)
    o Fix rio driver when HZ!=100 (Andrzej Krzysztofowicz)
    o Stop 3c509 grabbing other EISA boards (Andrzej Krzysztofowicz)
    o Remove surplus defines for root= names (Andrzej Krzysztofowicz)
    o Revert pre1 APIC change

    2.2.20pre1
    o Fix SMP deadlock in NFS (Trond Myklebust)
    o Fix missing printk in bluesmoke handler (me)
    o Fix sparc64 nfs (Dave Miller)
    o Update io_apic code to avoid breaking dual (Johannes Erdfelt)
    Athlon 760MP
    o Fix includes bugs in toshiba driver (Justin Keene,
    Greg Kroah-Hartmann)
    o Fix wanpipe cross compile (Phil Blundell)
    o AGPGART copy_from_user fix (Dawson Engler)
    o Fix alpha resource setup error (Allan Frank)
    o Eicon driver updates (Armind Schindler)
    o PC300 driver update (Daniela Squassoni)
    o Show lock owner on flocks (Jim Mintha)
    o Update cciss driver to 1.0.3 (Charles White)
    o Backport cciss/cpqarray security fixes (me)
    o Update i810 random number generator (Jeff Garzik)
    o Update sk98 driver (Mirko Lindner)
    o Update sis900 ethernet driver (Hui-Fen Hsu)
    o Fix checklist glitch in make menuconfig (Moritz Schulte)
    o Update synclink driver (Paul Fulghum)
    o Update advansys scsi driver (Bob Frey)
    o Ver_linux fixes for 2.2 (Steven Cole)
    o Bring 2.2 back into line with the master ISDN (Kai Germaschewski)
    o Whiteheat usb driver update (Greg Kroah-Hartmann)
    o Fix via_rhine byte counters (Adam Lackorzynski)
    o Fix modem control on rio serial (Rogier Wolff)
    o Add more Iomega Zip to the usb storage list (Wim Coekaerts)
    o Add ZF Micro watchdog (Fernando Fuganti)
  • It's a cool book. If you want to know more about it, check out Lasser's web site [tux.org], or read my own book review [dannyreviews.com].

    Danny.

  • The sad fact is that there is a lot of stuff you can put into code these days that exposes you to civil and criminal liability. People will try to bring claims of patent infringement, circumvention, copyright violations, and hacking against you.

    And open source is at a grave disadvantage here: when Microsoft violates the GPL, nobody will know about it because it is hidden in gigabytes of messy binaries. But when Apache or the Linux kernel steps on someone's toes, everybody knows about it right away because the source code is open and widely read.

    I don't have a solution for this problem other than that we need to become more active politically: open source software should not be at this disadvantage. But until the laws are fixed, decisions like Cox's, will be both rational and increasingly common. Stopgap technological measures, such as anonymous posting of such information, may help in the meanwhile, but they are far from perfect, both because they don't actually remove the legal liability and because they make development unnecessarily cumbersome.

  • Idaho Letter (Score:3, Insightful)

    by ink ( 4325 ) on Sunday November 11, 2001 @06:42PM (#2552040) Homepage
    Here's a letter I sent to my congressman and senators. Feel free to copy it; I hope to see people from every state followup with letters that they have sent. Everyone needs to take action now; if only the representatives from California and New York are notified, nothing will be done.

    Representative Simpson,

    As I feared, and wrote to you about, the Digital Millenium Copyright Act (DMCA) has now crippled US software developers. Here is a thread which basically explains the situation:

    http://slashdot.org/comments.pl?sid=22882&cid=2460 604

    In short: the DMCA has forced the Linux kernel developers to distinguish between "US" and "Non-US" developers. The "Non-US" group of developers are privy to all the security fixes for the kernel while the "US" group are now unable to view these changes because of recent action by DMCA proponents (the FBI's Skylarov case, MPAA vs. 2600).

    Worse than that, we (US developers) are no longer able to participate in security development and as such are in a weaker position to ensure the security of a product -- something very important in light of September 11th. This law needs to be fixed or repealed as soon as possible; it has prevented university research from being published (see Felton vs. RIAA, SDMI) and companies are using the most ridiculous "copy protection" schemes in order to halt speaking about security.

    You Fellow Idahoan,

    Craig M. Kelley

    Feel free to cut and paste and modify.

  • ...today he seems to be off-balance, and doesn't seem to understand all of the issues about which he speaks. Apparently he has failed to note a couple of key facts:

    1. Alan Cox hasn't censored himself. If Jon Lasser would fly to England or cross the border into either Mexico or Canada, he could find an Internet café somewhere where he could study the changelogs at his leisure.

      It's his country that's done the censorship.

    2. The DMCA has already made the full disclosure way he and everyone else who has the smallest clue about computer and information security knows to be effective illegal in the United States.

    If he wants to bitch about it, let him either write to his congressman to get the law repealed, or emigrate to some other country that doesn't have a DMCA-like law.

  • Over the past thirty years, the US has completely destroyed its manufacturing base. About the only thing we do make anymore is information. Just think! Car designs are farmed out to people in far away lands. Marketing, we still do, but that's all information, too. Same with our culturally enlightening entertainment exports.

    What does this have to do with Alan Cox? Everything...

    The powers that be in the information sector know that the loss of IP rights would completely destroy the information economy and, as such, the US economy. They cannot let go of these laws. They need them to ensure the survivability of the US economy into the next century. This is why the DMCA will be defended at every turn. This is why any act of "civil disobediece' will be punished. And if it is a foreign citizen that needs to be punished (like Dimitri or Alan) so much the better. The only people who will be crying to defend these "evil hackers" would be a bunch of ineffective nerds who can't even figure out they need to support the mainstream political parties to get their voices heard and who go away after a news article disappears from Slashdot's front page.

    So, no. I don't think that Alan is being paranoid or just making a point. What I think is that the Slashdot audience really doesn't understand the extent to which the US economy is supported by IP law and the extent to which our government will go to see those laws protected and extended.

    So go ahead. The changelogs are out there. Go ahead and host them yourselves. That is if you're not afraid to. Oh? Got to stay in and watch that Seinfeld rerun, huh? Thought so...

C for yourself.

Working...