The Case For Full Disclosure In The Linux Changelog

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.

This mean that Linux devs and Microsoft agree..

Does this mean that Linux devs and Microsoft agree that full disclosure is bad?

The kernel is the one thing on my systems that I don't update all that regularly. Mostly because it tends to trash my systems out for whatever reason - so I can see where keeping the security changes out might obfuscate openings for people. But then again - if I know that someone can break into my system because I'm running 2.2.13 - I'm more likely to upgrade, fixing the problem.

-T

Re:This mean that Linux devs and Microsoft agree..

You really need to follow the news more closely, as does Jon Lasser.

Alan Cox did not release the changelogs for Linux kernel 2.20 in the United States for fear of prosecution under the DMCA.

Cox did release the changelogs internationally, and some of us mirror the censored logs on sites accessible inside the U.S. The reason for the censoring of the logs is that they specify particular applications that can be used to exploit the kernel bug, which could well be interpreted under the DMCA as giving directions to script kiddies.

Re:This mean that Linux devs and Microsoft agree..

Does this mean that Linux devs and Microsoft agree that full disclosure is bad?

No, Alan's decision simply reflects that full disclosure is already illegal in the U.S. under some circumstances. That's why I think it's very unfair to call Alan's behavior "self-censorship". In fact, it's censorship by the government. I find it hard to believe that publishing ChangeLogs of your own software can conflict with DMCA requirements, but apparently, Alan consulted a lawyer and he told him that it did.

Whether full disclosure is good or bad in general is a completely different question and not much related to the question whether it is legal or illegal in the U.S. now.

that isn't a terribly considerate thing to do

i mean, aside from the whole DMCA can of worms, it may help hackers, but if its "secure" in the first place after these changes are put in place. My understanding is that if the attackers know what the changes are, it ought to be irreivant, as they ought not to be able to gain access. This is more like another "security through obscurity" trick, than anything.

Shhhh, Keep this news a secret!

By disclosing the fact that Alan Cox did not disclose issues of security on Slashdot, you have disclosed unknown information to pro Microsoft media outlets, allowing them to exploit this PR vulnerability against Linux. If you all would have just kept quiet, no one would have known that Alan Cox didn't disclose disclosure and Linux would have been fine. Shame on you!

For God's sake

how many times does it have to be repeated: Disclose, Disclose, Disclose.

Full disclosure is essential to the success of any project, especially where security is involved. Heck, even Suits (ornery business types) understand this: in a corporation or LLC, lack of disclosure can lead to loss of limited personal liability.

This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.

We depend on the proper functioning of group development and understanding in Linux. From folks who just want to keep boxes on their home DSL/cable lines secure, to others (such as myself) who are involved in web hosting businesses, the need is real for disclosure.

This is very troubling. Surely I'm not getting the whole story here, at least I hope I'm not.

Put up or shut up

This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.

And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF [eff.org] to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt [thinkgeek.com] so some of your purchase goes to stop the DMCA?

If you have, then I applaud your actions and encourage you to continue engaging in constructive solutions. If not, then put up or shut up. Far too many people are bitching about this problem and taking no substantive action.

It is unreasonable to expect Cox to behave differently. He's seen what happened to Dmitry. He knows what could happen if he were to disclose this information to Americans, then set foot in the United States. Cox did the right thing.

I support Cox

The United States hasn't been the land of the free since the 1960s, and the DMCA just puts us one step closer towards not having freedom of speech. If Alan Cox feels that he needs to block all Americans from seeing the Linux changelogs to make his point, so be it. It's not like he's blocking people who live in free countries from viewing the changelogs. And if the US repeals the DMCA and doesn't pass a similar law, Cox will open up the changelogs again - he believes in keeping them open but doesn't want to get arrested for it, unlike Microsoft who wants to keep them closed as a business strategy.

The dangers of illegality

The United States hasn't been the land of the free since the 1960s

A debatable point, as the US Constitution Article XVIII, ratified in 1919, forbade the "manufacture, sale, or transportation of intoxicating liquors". This article was repealed in 1933, after prohibition proved its total uselessness in preventing alcohol consumption, but there are similar laws today prohibiting the use of several recreational drugs. The main effect of such prohibition is creating a strong incentive for organized crime. The prohibition is no obstacle to former drug users becoming presidents of the USA, for instance.

As Robert Heinlein said: "I am free, no matter what rules surround me. If I find them tolerable, I tolerate them; If I find them too obnoxious, I break them. I am free because I know that I alone am responsible for everything I do" (The Moon is a Harsh Mistress, 1966).

This doesn't mean that we should tolerate any such stupid laws as the DMCA or drug prohibition. Those laws have the very dangerous side effect of creating a large number of corrupt law enforcement officers. Corruption in law enforcement is, IMHO, a much greater danger to freedom.

And who exactly....

...would prosocute the kernel developers as a result of full disclosure? I thought the DMCA's "circumvention" clauses only apply to the company/entity that made the product which is being exploited? I seriously doubt anyone on the kernel development team would satrt a lawsuit.

Alan has done some great work. But he really needs to step off of his soap box for a few minutes.

Re:And who exactly....

I believe the suggested exchange would go something like this:

• L33T H4X0R H finds Linux vulnerability mentioned in kernel changelog.
• Knowing that many sites do not keep their kernels up-to-date for a variety of reasons, H creates an exploit for said vulnerability.
• Big Company R has their servers broken into by H, and valuable "intellectual property" is stolen, including copyrighted materials and trade secrets.
• Big Company R consults with its Lawyers.
• Big Company R concludes that H is going to be too expensive to track down. The Lawyers, however, have a different target. The Linux changelog was a crucial component in a circumvention device intended to breach protections on R's valuable "intellectual property"!
• Kernel Hacker A, who happens to be responsible for writing changelogs, visits America on a routine business trip.
• Federal forces waiting for A grab him, throw him in jail, and leave him there for several months before trying him, convicting him under the DMCA, and leaving him there for several years.

Now, while you may be eager to spend several years in Jail, Mr. Cox is not.

Re:And who exactly....

The DMCA cannot only applied in civil litigation; it can also be applied in a criminal prosecution. Case in point: Dmitry Sklyarov [eff.org].

Dmitry was arrested by the FBI based on a "tip" they received from Adobe. Adobe withdrew their complaint, but that didn't stop the FBI. The FBI concluded that criminal law was being violated, and that Dmitry should be prosecuted.

If all it takes is one relatively credible tipster to cause the arrest of Cox for violating the DMCA, then Cox's actions seem perfectly reasonable. If he were to visit the United States, he'd like to go home when he's done.

DMCA?

How on earth could Linux security information be a violation of the DMCA? Linux is not a 'content protection system'. The DMCA dosn't say you can't hack, it only says you can't hack content protection.

Re:DMCA?

Of course, it is a content protection system. The file permissions protect the content of certain files to be read by certain users.
So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
a copyright violation case with the breaking of a content protection system covered under the DMCA.
And guess whose fault is was for publishing the
information in the changelog.
Next time Alan Cox comes to the US, he is arrested
and prosecuted under the DMCA.

As ridiculous as the example is, it is possible.

Last weeks Reg news - Today!

This is a pretty good discussion of the whole debacle for The register [theregister.co.uk].
No, Alan Cox is not pro non-disclosure. But it does seem to have been an unintended side affect of his swipe at the DMCA

Unintended consequences not a Pandora's Box

I think I understand the reasoning behind this claim, that Alan Cox could have opened a Pandora's Box, so to speak. Whether in jest or as a form of protest, his actions were widely publicized, and if it starts a trend, maybe there is a problem. The eventual changelog was, however, posted here on /., and I somehow doubt that such actions will be taken again, at least not in protest.

The international nature of Linux development makes it a potential platform for protest and discontent, but at the same time, developers can and do seem to recognize the importance of their role in the endeavor. They should be excused for occasionally "acting out", imho.

Politicians aren't made overnight.

diff the code?

Am I totally missing something? If you really want to know what was changed (if not why), can't you just diff the code of the two versions?

I don't think we really need to know HOW the bad code could be exploited...the smart people should be able to figure that out for themselves by looking at the code. Why help the script kiddies. "Fixed some major security flaws" type message is good enough for me as a user.

-Pete

Re:diff the code?

WATCH WHAT YOU SAY!!

If you keep speaking like that, peterdaly, then diff might become a circumvention device under the DMCA and thus, will be banned in the United States.

If you want to keep various GNU Tools such as diff, cat, cp, and ghex, then you have to hide the fact that they are usefull for anything other than taking up space. Otherwise we risk them becoming circumvention devices under the DMCA.

That Alan Cox coment was a protest!

Come on, how can you not understat that that comment from Alan Cox was a protest (though using some british sense of humour?).

There is full disclosure. Just look the diff.

I can't understand how people can claim to understand free software development and then have these claims.

Hugs, Cyclops

Cox does not think disclosure is bad...

...he just doesn not want to go to jail.

The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development. You cannot think about computer security without considering the legal aspects. Of course full disclosure would be better, but at what price?
Cox could *actually* go to jail in his next visist to the USA in case he did it. (Think not? Dimitry also didn't believe it could happen.) I am sure you can get the information of what was changed in the kernel by other means (linux-kernel?), but it is very important to be registered in the log that we are being limited by the DMCA. I don't know, perhaps in a nicer future someone will look back at these logs and ask why he didn't describe the problems, and then they will remember how the abuse of corporate power has changed law in a uncostitutional and limiting way.

We are not talking about boys playing in a BBS, we are talking about real men with real families, people important in our community, that could go to jail because of stupid laws in the lack of this responsability.

Oh Enough of this already...

This is only being restricted to the US. The rest of us all have this information.

If you really want to see it, click here:

kernel-2.2.20.log [homeip.net]

kernel-2.2.20pre11.log [homeip.net]

I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.

I have an idea....

Take the Source from the Formver Version, and the Current One, compare the two, and note all the changes..... The information is obviously there, its just that Alan just isn't giving us the spoon anymore...

How is a changlog a circumvention dev ?

Is linux being used to hack descrambler boxes? Is it being used to decrypt dvd's? What exactly does Linux do? THe answer is that linux is a kernel that runs on pc hardware. There is nothing illegal or controversal about it. Unless you use BSD of course. :-) But my point is that a changelog is not circumvention device. It doesn't actually do anything. The case with the adobe and the russian programmer is different. He showed how to illegally open sensitve and copy-righted oops I mean controlled works without adobe's permission. The only person who can sue alan is linus. I don't think he will do this. Anyway alan did not reverse engineer linux anyway. He just read about security related issues and manually fixed the source. The gpl allows this. Since linux is only used to boot a pc and not circumvent a copyright there is nothing even Linus can do. In other words Alan is full of shit.

Right...

From the article:
Although commercial tools are available that scan for vulnerabilities, the lag time between development of the exploit and the next periodic update to security scanning packages is too long for many enterprises.

Not to mention that the commercial tools usually cost $$$, and have their own problems and shortcomings; the alternative being to download the exploit from bugtraq and try it yourself against your machines.
From my experience - I work as a unix sysadmin for a small-to-medium software company - waiting for vendor updates (any vendor, from Sun to M$) is akin to giving up... blocking the traffic in the firewall is to survive. You have to know what to block, obviously.
So, IMHO there is nothing like first-hand experiencing the exploits. I know the script-kiddies say the same thing. :) But what's the alternative?

Amazing...simply....Amazing!

First, hasn't it [slashdot.org] already been discussed?

Second, why is everyone here so upset? Oh, hang on. This affects, um who was it? Oh thats right, the Americans. We really shouldn't upset them should we? Most of the comments that I have seen modded up so far basically say one of the following things:

1. Alan is chickenshit for not wishing to put himself at risk of prosecution. If it was me, I would go to jail, that way I wouldn't piss off the Americans!
2. Those damn British! They are sooooo jealous that we are more powerful than them now. Why don't they move past the jealousy and just give use the changelogs!
3. this is at least half reasonable They don't really want to prosecute "reasonable" people. They are just after the ones that piss off big business. What's wrong with that? Just give us our changelogs!

Well, sadly:

1. This is not a law that you can just ignore. It will not just go away. It is not clear exactly who can be prosecuted, or for what.
2. The only way that laws go away is for someone, or some large group, to say "this is stupid". Lets change it. Whinging about a missing changelog does not do that. Raising awareness may or may not do that, but it can't really hurt.

Hands up all of the americans who have written their senator, state and federal. Hands up to all of those who have given financial, or other, support to movements who are trying to repeal the DMCA. Hands up all those who would just rather whinge when that law inconveniences them. Hmm. Thought so, on that last question the number of hands went up by 10.

If you are really so cut up about it, figure out what has changed (it isn't really that hard, it has been talked about in the previous article) and post it yourself. Then to prove to Alan what a fool he is, walk down to the DA's office and get a written statement saying that they will not prosecute you for releasing that information. Make entirely clear to them that you have released information that could help people circumvent rights management, and get the DA to sign saying that they would not prosecute you for releasing this information.

Personally, I don't think that this will happen, since most people would rather make Alan the bad guy over taking any personal risk. I dare you to prove me wrong.

A better excuse for non-full disclosure

Alan Cox could just use the Linux Comment System(TM). You know, how Linus will implement a whole new VM and the changelog states "VM Fixes." Using Linus's model for this, Alan Cox would definatly just state "Fixed security issues" for most any bug. Heck, he could even put it in the "Random Fixes" catchall. Then all Alan has to do is run around saying to people stuff like "I don't really care about Micro*cough* - The DMCA. It bores me."

Maybe we would all do better following Linus's methods. Let's say you need to turn in an Essay on Lord Of The Flys, it's simple:

• Essay Pre-1 "Plane crash"
• Essay Pre-2 "Establish democrasy"
• Essay Pre-2 "formed resitance"
• Essay Pre-3 "War - people died"
• Essay Pre-4 "Ship arrives restored grownups"

As you can see, this eases your everyday life. It gets rid of the unintended problems that spring from caring about anything but the task at hand.

--Josh

Is this RedHat's fault?

What if there is some serious kernel security hole in pre-2.2.20 and 2.0.x kernels affecting Bastille, RedHat up to 7.0 and EVERY OTHER linux system having a pre-2.2.20 kernel installed? What the heck is Alan hiding?

What I don't understand about the DMCA...

Is why people think software with its encryption is any different from other products.

Is Ford or Firestone sueing the group that discovered the flaw when you put an Explorer on Firestone tires?
Are lockmakers sueing those that pick locks?

Why do software companies think they're so "special" in that regard?

Isn't there a consumers' association in the US?
If there is, I don't know how they act, but in many countries this sort of association tries to keep regular companies on their toes by regularly testing their products and giving them a thumbs-up or thumbs-down verdict. Also if consumers are having problems with a company due to a breach of contract or bad sale or whatever, the association has a bunch of lawyers on their payroll who are willing to sue.
Wouldn't it just be a great idea if encryption-breakers could team up with that kind of organisation? I mean, it is of course in the consumer's interest that this sort of work goes on.

ChangeLog Might Not Be Appropriate...

...place to detail security changes. Isn't the purpose of the Changelog to provide a brief at-a-glance notification of changes? After all you don't want the 10k of gorey details about why ext3 driver was patched nor should there probably be security alerts. Instead how about make another document or document directory in the Documentation that details stuff like this instead of harping on maintainers of Changelog?

Why should Cox risk jailtime ?

The article says Cox is wrong because he shoould stand by full disclosure. While I know that Alan did this as a protest, I don't understand the reasoning of those who "attack" his position. Why should somebody like Alan risk to go to jail for disclosing information that can facilitate the circumvention of filesystem's permissions ?

We all know that that is illegal in the USA, thanks to the DMCA, and in a little over one year, will also be illegal in most of Europe, thanks to the EUCD - European Union Copyright Directive.

My question is: Why should he take the risk ? Until know, Sklyarov is still in jail, Felten hasn't got the courts permission to present his article and I still can't get a DVD player with any GNU/Linux distribution. Isn't this enough to make one think twice before entering the security field ?

M.I.B's

Elias Levy wrote an eloquent rebuttal to the Microsoft essay. But I'd like to zero on in one particularly egregious claim Culp makes in his argument: that an administrator "doesn't need to know how a vulnerability works in order to understand how to protect against it."

The M.I.B's (Microsofties In Black)would be proud.

Just claim "you don't need to know".

And the 'Little Flashie Thingies' don't hurt either.

Alan Cox yet again

Alan Cox is definately beginning to irritate me in the last few months. First, he won't change over the VM, then he won't disclose the changelogs. He finally gave in on the VM.

Mr. Cox, do you adhere to all the rules of the U.S. as a british citizen? I suppose you keep a library of U.S. lawbooks at your house so you won't violate any of our laws while in your home country.

The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.

The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention. This is simply ridiculous. You can't be put in jail for publishing changelogs to your own code.

Oh my god...last week I tried to hack my own linux box! I'm a fugitive from justice!

Personally, I vote Alan Cox finds him a nice little therapist somewhere in merry old England and tries to get some help.

Alan Cox - defender of freedom in America

The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil.

Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.

The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.

Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.

This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.

If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.

Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.

Publishing source violates DMCA

Everything a person needs to know to circumvent access controls is in the operating system source code. Therefore, publishing source code to an OS is a violation of the DMCA.

jesus you really dont get it do you.

he was taking the piss!!

AC interview on Newsforge, linked on Linuxtoday

OK people, the Linux community has a great news article summary site called Linuxtoday [linuxtoday.com].

Point being, a couple of days ago there was an article linked there to Newsforge with an interview with Alan Cox about his views on the DMCA and these changelogs [newsforge.com].

For the lazy, the essential point is that AC has gotten legal advice that he very well could be charged in the US for posting the vulnerabilities based on an interpretation of the DMCA, but that no "sane" US court would convict him. However, he does not want to spend 6 months in the US to go through the process.

So, basically, he's making a political point about stupid laws. He's welcome to if that what he wants. As others have said, it's not like most people interested in kernel changes can't use diff.

Glenn

join the eff

Fight bad laws like DMCA. Join the EFF [eff.org]. It's that simple.

DCMA implies CLOSED SOURCE

If the kernel change logs can be used to provide information to hackers that would result in criminal liability, does not the entire kernel source provide the same information?

Doesn't that imply that the entire Linux Kernel Source should be closed and only Binaries provided?

If Alan Cox is allowed to use Linux as his own political soapbox, then Linux itself is history. Where the hell is Linus?

Alan's taking the easy way out

This is liable to be score (-1, Unpopular Opinion), but it needs to be said:

If Alan Cox really wants to make a point, he should put his money where his mouth is and LET himself be open to a suit under the DMCA. His current approach, hiding the changelogs, does nothing to stop the DMCA, and by submitting to it he's giving its backers exactly what they want.

Laws don't get changed if nobody has the guts to challenge them. If Alan wants to get his point across, he should let himself be sued (not that it would actually happen, because I doubt any company really gives a damn what he puts in his changelog). Then he, like Felten and Sklyarov, has a great case to challenge the law with.

Instead, this "spectacle" seems to be Alan submitting to the DMCA, then trying to attract as much attention as possible to his crying about it. I have no pity for this, and I hope the rest of his audience feels the same.

Wasn't it a joke/political comment?

My interpretation of Alan's actions were that they were more of a joke or satirical political comment. Am I wrong? I don't read the kernel mailing lists or anything, so it's not like I have the best insight into the issue. Would someone who actually somewhat knows Alan mind telling us his real motivation for censoring the changelogs?

OT: Beale and Mandrake

Anyone know if Jay Beale is still employed by MandrakeSoft?

Not Open Enough

I have always favored the BSD freenixes over Linux. One primary reason is that all code is maintained in publicly viewable CVS servers.

Linux, unfortunately, is not. To the best of my knowledge, Linus doesn't even use CVS privately. If you want to upgrade your kernel, you have to wait for new releases in the form of full or patch tarballs delivered to kernel.org like mana from heaven (Linus). There's no easy way to see arbitrary changes in any file at any time. There's no reading commit logs.

For that matter, there's no easy way to contribute. That is to say, there's not an _easier_ way. You have to mail your patches to some list or maintainer, etc. There's no public bug tracker.

When will it be Open? Or is Free enough?

Full Changelog

Here's the full uncensored changelog for Linux 2.2.20:

2.2.20 final
o Final fixes for the computone driver (Michael Warfield)

2.2.20pre12
o Update davicom driver to fix oopses (Sten Wang)
o Updated PC300 driver - fix SCA-II DMA bugs
(Daniela P. R. Magri Squassoni)
o Make syn cookies per socket (Andi Kleen)
o Computone driver fixes for fast PC's (Michael Warfield)
| Follow on devfs patches didnt apply so dropped
o DAC960 update (Leonard Zubkoff)

2.2.20pre11
o Security fixes
- Quota buffer overrun , possibly locally (Solar Designer)
exploitable
- Ptrace race - local root exploit (Rafal Wojtczuk,
- Symlink local denial of service attack Solar Designer,
fix Linus Torvalds)
- Sparc exec fixups (Solar Designer)
o Sparc updates (Dave Miller)
o Add escaped usb hot plug config item (Ryan Maple)
o Fix eepro10 driver problems (Aris)
o Make request_module return match 2.4 (David Woodhouse)
o Update SiS900 driver (Hui-Fen Hsu)
o Update ver_linux to match 2.4 (Steven Cole)
o Final isdn fixups for 2.2 (Kai Germaschewski)
o scsi tape fixes from 2.4 (Kai Mäkisara)
o Update credits entry (Henrik Storner)
o Fix scc driver hang case (Jeroen)
o Update credits entry (Dave Jones)
o Update FAT documentation (Hirokazu Nomoto)
o Small net tweaks (Dave Miller)
o Fix cs89xx abuse of skb->len (Kapr Johnik)

2.2.20pre10
o Update the gdth driver (Achim Leubner)
o Fix prelink elf loading in 2.2 (Jakub Jelinek)
o 2.2 lockd fixes when talking to HP/UX (Trond Myklebust)
o 3ware driver update (Adam Radford)
o hysdn driver update (Kai Germaschewski)
o Backport via rhine fixes (Dennis Bjorklund)
o NFS client fixes (Trond Myklebust, Ion Badulescu,
Jim Castleberry, Crag I Hagan.
Adrian Drzewiecki)
o Blacklist TEAC PD-1 to single lun (Wojtek Pilorz)
o Fix null request_mode return (David Woodhouse)
o Update credits entry (Fernando Fuganti)
o Fix sparc build with newer binutils (Andreas Jaeger)
o Starfire update (Ion Badulescu)
o Remove dead USB files (Greg Kroah-Hartmann)
o Fix isdn mppp crash case (Kai Germaschewski)
o Fix eicon driver (Kai Germaschewski)
o More pci idents (Andreas Tobler)
o Typo fix (Eli Carter)
o Remove ^M's from some data files (Greg Kroah-Hartmann)
o 64bit cleanups for isdn (Kai Germaschewski)
o Update isdn certificates (Kai Germaschewski)
o Mac update for sysrq (Ben Herrenschmidt)

2.2.20pre9
o Document ip_always_defrag in proc.txt (Brett Eldrige)
o Update S/390 asm for newer gcc (Ulrich Weigand
o Update S/390 documentation Carsten Otte
o Update s390 dump too and co)
o Update s/390 dasd to match 2.4
o Backport s/390 tape driver from 2.4
o FDDI bits for s/390
o Updates for newer pmac laptops (Tom Rini)
o AMD760MP support (Johannes Erdfelt)
o Fix PPC oops on media change (Tom Rini)
o Fix some weird but valid input combinations (Tom Rini)
on PPC
o Add additional checks to irc dcc masquerade (Juanjo Ciarlante,
Michal Zalewski)
o Update 2.2 ISDN maintainer (Kai Germaschewski)
o Fix 3c505 with > 16Mb of RAM (Paul)
o Bring USB into sync with 2.4.7 (Greg Kroah-Hartmann)

2.2.20pre8
o Merge DRM fixes from 2.4.7 tree (me)
o Merge sbpcd fixes from 2.4.7 tree
o Merge moxa buffer length check
o Merge bttv clip length check
o Merge aha2920 shared irq from 2.4.7 tree
o Merge MTWEOF fix from 2.4.6 tree
o Merge serverworks AGP from 2.4.6 tree
o Merge sbc60xxx watchdog fixes from 2.4.6
o Merge lapbether fixes from 2.4.6
o Merge bpqether fixes from 2.4.6
o Merge scc fixes from 2.4.6
o Merge lmc memory leak fixes from 2.4.6
o Merge sm_wss fixes from 2.4.6
o Resync AGP support with 2.4.6
o Merge epca fixes from 2.4.5
o Merge riscom8 fixes from 2.4.5
o Merge softdog fixes from 2.4.5
o Merge specialix fixes from 2.4.5
o Merge wdt/wdt_pci fixes from 2.4.5
o ISDN cisco hdlc fixes (Kai Germaschewski)
o ISDN timer fixes (Kai Germaschewski)
o isdn minor control change backport (Kai Germaschewski)
o Backport ELCR MP 1.1 config/PCI routing stuff (John William)
o Backport isdn ppp fixes from 2.4 (Kai Germaschewski)
o Backport isdn_tty fixes from 2.4 (Kai Germaschewski)
o eicon cleanups (Armin Schindler)
| Armin can you double check the clashes were ok
o Fix an ntfs oops (Anton Altaparmakov)
o Fix arp null neighbour buglet (Dave Miller)
o Update sparc version strings, pci fixups (Dave Miller)
o Define CONFIG_X86 in 2.2 as well as 2.4 (Herbert Xu)
o Configure.help cleanups (Steven Cole)
o Add MODE_SELECT_10 to qlogic fc table (Jeff Andre)
o Remove dead oldproc variable (Dave Miller)
o Update starfire driver for 2.2 (Ion Badulescu)
o 8139too driver update (Jens David)
o Assorted race fixes for binfmt loaders (Al Viro)
o Update Alpha support for older boxes (Jay Estabrook)
o ISDN bsdcomp/ppp compression fixes (Kai Germaschewski)

2.2.20pre7
o Merge rose buffer management fixes (Jean-Paul Roubelat)
o Configure.help updates (Steven Cole)
o Add Steven Cole to credits (Steven Cole)
o Update kbuild list info (Michael Chastain)
o Fix slab.c doc typo (Piotr Kasprzyk)
o Lengthen parport probe timeout (Jean-Luc Coulon)
o Fix vm86 cleanup (Stas Sergeev)
o Fix 8139too build bug (Jürgen Zimmermann)
o Fix slow 8139too performance (Oleg Makarenko)
o Sparc64 exec fixes (Solar Designer)

2.2.20pre6
o Merge all the pending ISDN updates (Kai Germaschewski)
| These are sizable changes and want a good testing
o Fix sg deadlock bug as per 2.4 (Douglas Gilbert)
o Count socket/pipe in quota inode use (Paul Menage)
o Fix some missing configuration help texts (Steven Cole)
o Fix Rik van Riel's credits entry (Rik van Riel)
o Mark xtime as volatile in extern definition (various people)
o Fix open error return checks (Andries Brouwer)

2.2.20pre5
o Fix a patch generation error, replaces 2.2.20pre4 which is
wrong on ad1848

2.2.20pre4
o Fix small corruption bug in 82596 (Andries Brouwer)
o Fix usb printer probing (Pete Zaitcev)
o Fix swapon/procfs race (Paul Menage)
o Handle ide dma bug in the CS5530 (Mark Lord)
o Backport 2.4 ipv6 neighbour discovery changes (Dave Miller)
o FIx sock_wmalloc error handling (Dave Miller)
o Enter quickack mode for out of window TCP data (Andi Kleen)
o Fix Established v SYN-ACK TCP state error (Alexey Kuznetsov)
o Sparc updates, ptrace changes etc (Dave Miller)
o Fix wrong printk in vdolive masq (Keitaro Yosimura)
o Fix core dump handling bugs in 2.2 (Al Viro)
o Update hdlc and synclink drivers (Paul Fulghum)
o Update netlink help texts (Magnus Damm)
o Fix rtl8139 keeping files open (Andrew Morton)
o Further sk98 driver updates. fix wrong license (Mirko Lindner)
text in files
o Jonathan Woithe has moved (Jonathan Woithe)
o Update cpqarray driver (Charles White)
o Update cciss driver (Charles White)
o Don't delete directories on an fs that reports (Ingo Oeser)
then 0 size when doing distclean
o Add support for the 2.4 boot extensions to 2.2 (H Peter Anvin)
o Fix nfs cache locking corruption on SMP (Craig Hagan)
o Add missing check to cdrom readaudio ioctl (Jani Jaakkola)
o Fix refclock build with newer gcc (Jari Ruusu)
o koi8-r fixes (Andy Rysin)
o Spelling fixes for documentation (Andries Brouwer)

2.2.20pre3
o FPU/ptrace corruption fixes (Victor Zandy)
o Resync belkin usb serial with 2.4 (Greg Kroah-Hartmann)
o Resync digiport usb serial with 2.4 (Greg Kroah-Hartmann)
o Rsync empeg usb serial with 2.4 (Greg Kroah-Hartmann)
o Resync ftdi_sio against 2.4 (Greg Kroah-Hartmann)
o Bring keyscan usb back into line with 2.4 (Greg Kroah-Hartmann)
o Resync keyspan_pda usb with 2.4 (Greg Kroah-Hartmann)
o Resync omninet usb with 2.4.5 (Greg Kroah-Hartmann)
o Resync usb-serial driver with 2.4.5 (Greg Kroah-Hartmann)
o Resync visor usb driver with 2.4.5 (Greg Kroah-Hartmann)
o Rsync whiteheat driver with 2.4.5 (Greg Kroah-Hartmann)
o Add edgeport USB serial (Greg Kroah-Hartmann)
o Add mct_u232 USB serial (Greg Kroah-Hartmann)
o Update usb storage device list (Stas Bekman, Kaz Sasayma)
o Bring usb acm driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring bluetooth driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring dabusb driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring usb dc2xx driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring mdc800 usb driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring rio driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring USB scanner drivers into line with 2.4.5 (Greg Kroah-Hartmann)
o Update ov511 driver to match 2.4.5 (Greg Kroah-Hartmann)
o Update PCIIOC ioctls (esp for sparc) (Dave Miller)
o General sparc bugfixes (Dave Miller)
o Fix possible oops in fbmem ioctls (Dave Miller)
o Fix reboot/halt bug on "Alcor" Alpha boxes (Tom Vier)
o Update osst driver (Willem Riede)
o Fix syncppp negotiation bug (Bob Dunlop)
o SMBfs bug fixes from 2.4 series (Urban Widmark)
o 3ware IDE raid driver updates (Adam Radford)
o Fix incorrect use of bitops on non long types (Dave Miller)
o Fix reboot/halt bug on 'Miata' Alpha boxes (Tom Vier)
o Update Tim Waugh's contact info (Tim Waugh)
o Add TIOCGSERIAL to sun serial on PCI sparc32 (Lars Kellogg-Stedman)
o ov511 check user data more carefully (Marc McClelland)
o Fix netif_wake_queue compatibility macro (Andi Kleen)

2.2.20pre2
o Fix ip_decrease_ttl as per 2.4 (Dave Miller)
o Fix tcp retransmit state bug (Alexey Kuznetsov)
o Fix a few obscure sparc tree bugs (Dave Miller)
o Fix fb /proc bug and OF fb name size bug (Segher Boessenkool)
o Fix complie with CONFIG_INTEL_RNG=y (Andrzej Krzysztofowicz)
o Fix rio driver when HZ!=100 (Andrzej Krzysztofowicz)
o Stop 3c509 grabbing other EISA boards (Andrzej Krzysztofowicz)
o Remove surplus defines for root= names (Andrzej Krzysztofowicz)
o Revert pre1 APIC change

2.2.20pre1
o Fix SMP deadlock in NFS (Trond Myklebust)
o Fix missing printk in bluesmoke handler (me)
o Fix sparc64 nfs (Dave Miller)
o Update io_apic code to avoid breaking dual (Johannes Erdfelt)
Athlon 760MP
o Fix includes bugs in toshiba driver (Justin Keene,
Greg Kroah-Hartmann)
o Fix wanpipe cross compile (Phil Blundell)
o AGPGART copy_from_user fix (Dawson Engler)
o Fix alpha resource setup error (Allan Frank)
o Eicon driver updates (Armind Schindler)
o PC300 driver update (Daniela Squassoni)
o Show lock owner on flocks (Jim Mintha)
o Update cciss driver to 1.0.3 (Charles White)
o Backport cciss/cpqarray security fixes (me)
o Update i810 random number generator (Jeff Garzik)
o Update sk98 driver (Mirko Lindner)
o Update sis900 ethernet driver (Hui-Fen Hsu)
o Fix checklist glitch in make menuconfig (Moritz Schulte)
o Update synclink driver (Paul Fulghum)
o Update advansys scsi driver (Bob Frey)
o Ver_linux fixes for 2.2 (Steven Cole)
o Bring 2.2 back into line with the master ISDN (Kai Germaschewski)
o Whiteheat usb driver update (Greg Kroah-Hartmann)
o Fix via_rhine byte counters (Adam Lackorzynski)
o Fix modem control on rio serial (Rogier Wolff)
o Add more Iomega Zip to the usb storage list (Wim Coekaerts)
o Add ZF Micro watchdog (Fernando Fuganti)

How about a diff?

Excuse my ignorance on the subject, but isn't the kernel open source? Why couldn't one do a simple diff to see what's changed?

Think Unix

It's a cool book. If you want to know more about it, check out Lasser's web site [tux.org], or read my own book review [dannyreviews.com].

Danny.

The DMCA should not hobble the open source process

As I see it, Linux is open-source and a community project. Does the DMCA keep developers within an organization from communicating with each other? No. Therefore, it should not keep Mr. Cox from communicating errata to the organization that develops Linux, which happens to be the open-source community.

Now, having said that, it seems that some sticky points may come up when you consider that there are commercial entities that profit from reselling linux or, if you will, conveniently packaging it. Could they claim commercial wrong by revealing possible exploits? Hmmm?

Perhaps the most pragmatic approach would be to alter the license that the code is distributed under to say that the user/repackager recognizes the right of individuals to specify the existence of security holes and how to fix them. That these specifications do not diminish the commercial value but rather enhance them.

Mind you, this is not the comprehensive solution that Mr. Cox seeks. However, it is a solution that may be better suited to the community to which Mr. Cox belongs...and more feasible to boot. The DMCA is something we in the US have been saddled with. We should not let it disrupt the open source process.

open source intrinsically at risk

The sad fact is that there is a lot of stuff you can put into code these days that exposes you to civil and criminal liability. People will try to bring claims of patent infringement, circumvention, copyright violations, and hacking against you.

And open source is at a grave disadvantage here: when Microsoft violates the GPL, nobody will know about it because it is hidden in gigabytes of messy binaries. But when Apache or the Linux kernel steps on someone's toes, everybody knows about it right away because the source code is open and widely read.

I don't have a solution for this problem other than that we need to become more active politically: open source software should not be at this disadvantage. But until the laws are fixed, decisions like Cox's, will be both rational and increasingly common. Stopgap technological measures, such as anonymous posting of such information, may help in the meanwhile, but they are far from perfect, both because they don't actually remove the legal liability and because they make development unnecessarily cumbersome.

Idaho Letter

Here's a letter I sent to my congressman and senators. Feel free to copy it; I hope to see people from every state followup with letters that they have sent. Everyone needs to take action now; if only the representatives from California and New York are notified, nothing will be done.

Representative Simpson,

As I feared, and wrote to you about, the Digital Millenium Copyright Act (DMCA) has now crippled US software developers. Here is a thread which basically explains the situation:

http://slashdot.org/comments.pl?sid=22882&cid=2460 604

In short: the DMCA has forced the Linux kernel developers to distinguish between "US" and "Non-US" developers. The "Non-US" group of developers are privy to all the security fixes for the kernel while the "US" group are now unable to view these changes because of recent action by DMCA proponents (the FBI's Skylarov case, MPAA vs. 2600).

Worse than that, we (US developers) are no longer able to participate in security development and as such are in a weaker position to ensure the security of a product -- something very important in light of September 11th. This law needs to be fixed or repealed as soon as possible; it has prevented university research from being published (see Felton vs. RIAA, SDMI) and companies are using the most ridiculous "copy protection" schemes in order to halt speaking about security.

You Fellow Idahoan,

Craig M. Kelley

Feel free to cut and paste and modify.

Jon Lasser may be smart, but...

...today he seems to be off-balance, and doesn't seem to understand all of the issues about which he speaks. Apparently he has failed to note a couple of key facts:

1. Alan Cox hasn't censored himself. If Jon Lasser would fly to England or cross the border into either Mexico or Canada, he could find an Internet café somewhere where he could study the changelogs at his leisure.

   It's his country that's done the censorship.

2. The DMCA has already made the full disclosure way he and everyone else who has the smallest clue about computer and information security knows to be effective illegal in the United States.

If he wants to bitch about it, let him either write to his congressman to get the law repealed, or emigrate to some other country that doesn't have a DMCA-like law.

Cox has reason to be worried...

Over the past thirty years, the US has completely destroyed its manufacturing base. About the only thing we do make anymore is information. Just think! Car designs are farmed out to people in far away lands. Marketing, we still do, but that's all information, too. Same with our culturally enlightening entertainment exports.

What does this have to do with Alan Cox? Everything...

The powers that be in the information sector know that the loss of IP rights would completely destroy the information economy and, as such, the US economy. They cannot let go of these laws. They need them to ensure the survivability of the US economy into the next century. This is why the DMCA will be defended at every turn. This is why any act of "civil disobediece' will be punished. And if it is a foreign citizen that needs to be punished (like Dimitri or Alan) so much the better. The only people who will be crying to defend these "evil hackers" would be a bunch of ineffective nerds who can't even figure out they need to support the mainstream political parties to get their voices heard and who go away after a news article disappears from Slashdot's front page.

So, no. I don't think that Alan is being paranoid or just making a point. What I think is that the Slashdot audience really doesn't understand the extent to which the US economy is supported by IP law and the extent to which our government will go to see those laws protected and extended.

So go ahead. The changelogs are out there. Go ahead and host them yourselves. That is if you're not afraid to. Oh? Got to stay in and watch that Seinfeld rerun, huh? Thought so...

I think Alan should use ROT26 for Changelog

This is the smartest solution:
Alan discloses the Changelog with ROT26 encryption, and therefore he is himself covered by DMCA.. don't u think so ?

I disagree with Cox because......

First and foremost I respect and admire the work Mr. Cox does. And just as I am allowed to respect and admire his work I freely choose to disagree with his overt political opinions regarding the changelogs and the withholding of them from US citizens based on a law he is interpreting to include those changelogs.

Secondly I admit I am not an expert on the DMCA but from what I have read and studied so far his camparison of publishing changelogs -vs- circumvention devices/reverse engineering of document protection is the equivalent to comparing apples -vs- oranges.

In the Skylarov case for example,Mr. Skylarov wrote code to circumvent Adobes ebook encryption scheme.. correct? [osopinion.com] Then Adobe complained to authorities prompting an investigation and subsequently withdrew [osopinion.com] its complaint. After investigating it was determined by the FBI that he (Skylarov) violated US law by writing and distributing a "crack", code to circumvent Adobes encryption scheme so that people would not have to purchase content in Adobe ebook format. With his "crack" one could gain the content without paying for it. Whether or not you agree with proprietary formats or not, "stealing" it by way of circumvention is still petty theft in my opinion.

Back to how Cox fits in... Why would Mr. Cox fear his publishing of changelogs would be in violation? I have yet to see on Slashdot or his diary [linux.org.uk] pages or from the main pages at that website [linux.org.uk] a detailed explanation of exactly WHY he feels he needed to do this.

And if I am right it would take a whole lot more than simply publishing the changelogs to violate the DMCA. Correct me if I am wrong, but please show me proof (from sources that are legitamate). Would "NOT" publishing the changelogs feed into the premise that the DMCA is legitamite? Wouldn't the owner of the code have to actually submit a complaint to the authorities to be charged with a violation of the DMCA, similar to what Adobe did to Mr. Skylarov? BTW, since the linux kernel is open source and licensed under the GPL doesn't that in effect offer protection against a DMCA violation for publishing changelogs? I mean does Mr. Cox think Linus or someone else is going to complain to the FBI that he has somehow violated the DMCA by publishing changes he made to the Linux kernel? Why does he NOT worry about the changes to the kernel itself then? The kernel is obviously published all over the world includeing the US and it has his changes in it already doesn't it? That kinda seems oxymoronic in my opinion.

Lastly, the irony is that I have read some comments in this artice and on a previous Slashdot article [slashdot.org] that suggest the US laws are squashing freedom and the US government is oppressing its people, while Mr. Cox nor anyone else has mentioned anything about the UK's own RIP (Regulation of Investigatory Powers Act of 2000) from the Crown [hmso.gov.uk] itself, which is a quite scary peice of legislation and comparable to the DMCA only it has a broader, less defined scope about it. Some links on the RIP are here: World Socialist Website [wsws.org] , SiliconValley.com [siliconvalley.com] , ZDNet [zdnet.com] , The Register [theregister.co.uk].

In summary, withholding changelogs sounds like just a little more "America bashing". While I typically choose not to be anti-anyone else my feelings of patriotism are quite high due to recent events in America. My personal view of a non-US citizen withholding information from US citizens/developers is counter productive in repealing the DMCA. Should he feel so strongly about the DMCA then I would invite him to become a US citizen and VOTE to repeal this ignorant law instead of bitching about it from some other place in the world that has its own share of ignorant laws and regulations. Yes, do something...anything but legitimizing the DMCA by withholding changelogs!

Zoom

Re:You are making it too complicated

Little man talks big.

What work of yours has been affected by the DMCA and what did you do about it?

The inabilty to laugh at something amusing?

It seems to me, even as a Brithish Citizen Living in Britian, Alan has made more of a visible and rational protest than any of the whiners... (who btw probably have the access etc to protest in a more effective manner themselves, but have they?) I know being American does NOT usually mean a humour imparement.... In fact...

Nitpicks

Cox is Welsh, not English. Cox lives in Wales, not England. If you're going to copy verbatim something off Adequacy, realise that even they are not going to get everything right.

Re:And who didn't see this coming?

Remember, the DMCA covers encryption on copyrighted works.

People keep repeating this, where does it come from? The DMCA is not specifically about encryption. It is about technological measures that effectively control access to copyrighted works. Based on court cases so far we can safely say that encryption appears to count as one such technological measure, but that doesn't suddenly mean that it's the only measure. If it was meant to apply specifically to encryption then I think the language used would be very different.

Linux is technological, even if you don't like the particular techonology. Linux is used to control access to copyrighted works, including text files, programs, music, graphics, whatever. It isn't difficult to conclude that the security measures in Linux are technological measures that effectively control access to copyrighted works.

That doesn't mean I'm convinced that posting this particular information would be contrary to the DMCA, I'm really not sure, but that has nothing to do with whether or not encryption is involved, which is a complete red herring.

Is this official Redhat policy?

Alan claimed to have recieved legal advice. Redhat has a responsibility to it's customers to disclose security info, and Alan is an employee of Redhat. What does redhat have to say about this?

Err... no.

The DMCA does not specifically cover 'encryption' on 'copyrighted works'.
It covers COPYRIGHT PROTECTION MECHANISMS. You just assume those must be encrypted.

ie: Let's say a new CD format came out that just used a couple of bits to determine if a work is permitted to be copied (and requires a new player to play, etc). Someone who reveals a way to 'ignore' those bits, ie: by hotwiring the device is also violating the DMCA.

The linux kernel could very well have someone's copyrighted work on it, and giving someone the ability to obtain root access without authorization in order to copy that work could be constituted as a violation of the act. Yes, it's a stretch.. but not completely out to lunch. That's how broad the language of the DMCA is.

As for the 'sheer stupidity' of a British Citizen doing this... what about that Russian Citizen who was arrested for this very law?
If Alan wants to ever visit the US, say, to go to a conference, or the Superbowl, or whatever... he'll have to make sure he stears clear of US law, no?

Alan isn't a proponent of security through obscurity. He's a proponent of not getting arrested upon entering the United States.

Re:You are making it too complicated

as a u.s. citizen would you say linux is more important than your freedom of speech?
if anything, mr. cox should be applauded for putting a thorn (however small) right in the eye of this stupid, anti-american law.
thank you mr. cox, for making an important point and for standing up for all of us having to deal with the total idiocy that is the dmca.

Re:And who didn't see this coming?

Tell that to this guy [freesklyarov.org]!

Re:You are making it too complicated

The only thing Mr. Cox has achieved ... by his action is to annoy US-based Linux users ...

Even if that is true, the hope is, if you are a US citizen, you will be so annoyed that you will write your congressional representatives and complain.

Re:Time to switch to OpenBSD

done...

I am feeding a troll, oh well

Well, since I have no way to know if security holes
exist in the Linux kernel, I will have to switch
to another operating system that I can verify problems
with. Obviously if people think Linux can be run
in a production environment before, it won't be now.
Good thing for the BSDs at least. :)

OpenBSD says no REMOTE security holes in 4 years in the default installation. This is a far cry from saying now holes.

I really respect *BSD. In many instances, I think that it is somewhat more mature for some tasks than Linux. However, that does not change the argument that OpenBSD is secure because of distrobution issues more than kernel issues. And there are similar Linux distributions, such as Trustix which apply the same mentality. You, sir, are a troll.