Announcement: Important

Alan Cox (alan@CYMRU.NET)
Mon, 26 May 1997 23:23:15 +0100

I've had various concerns when doing the Linux work with CERT, notably the
lack of work CERT does in releasing important bug reports when vendors
fail to release adequate fixes, and their lack of bug tracking for non
unix systems.

It is now over one year since the Sun Solaris 'rsh file descriptor bug'
that allows any user to trash network configuration of a solaris box was
passed to you[cert]. Nothing appears to have happened, no warning was ever
issued to users.

I no longer have any faith in CERT nor believe it is the right way to
handle the lamentably bad state of computer security today. It muddles along
like some kind of comic book 3rd world security agency trying to hide the
truth - the only reason we haven't had major computer security catastrophes
on the internet is because nobody has lit the fuse, not because we have
security.

As such I think it is inappropriate for me to continue to work with CERT
as the Linux vendor contact and ask that the Linux community find another
representative.

Bugtraq has over 10,000 subscribers, things reported there generally get
fixed and I see little evidence of increased problems through its full
disclosure policy. In future I will instead be dealing with bugs I find
and learn about directly through bugtraq.

Alan Cox
EX Linux vendor contact