Does something prevent distributing the patches?

Posted May 5, 2017 16:42 UTC (Fri) by ballombe (subscriber, #9523)
In reply to: Does something prevent distributing the patches? by tlamp
Parent article: Grsecurity goes private

You only need plausible deniability. They cannot throw away clients on a whims.

> Also a third party leakage could be compromised, how do you verify that? `Open Source Security Inc.` may not help you there.

Someone with a subscription will tell you...

to post comments

Does something prevent distributing the patches?

Posted May 5, 2017 18:28 UTC (Fri) by tlamp (subscriber, #108540) [Link] (1 responses)

> Someone with a subscription will tell you...

Then you also trust them, else the could be the one who leaked the compromised patchset.

Also even if you trust them you could make it hard to verify the validness of the leaked patch set, *if* they would release a code with a signature (I still doubt they would do that, this is merely a thought experiment). Comparing semantics is not always trivial, especially if you have thousands of thousands diffs on kernel code. Even if you are experienced kernel hacker you will still need quite some time if you really want to ensure nothing slips.

I never ever would apply a leaked security patch set to anything worth a dime for me.

If you have a trusted contact with a subscription the easiest way would be to just use their copy and stay silent.

Does something prevent distributing the patches?

Posted May 7, 2017 14:11 UTC (Sun) by jond (subscriber, #37669) [Link]

> I never ever would apply a leaked security patch set to anything worth a dime for me.

I'm not sure, but I don't think ballombe's hypothetical end-game was end-users blindly applying security patches themselves, rather the continuation of getting the useful bits mainlined.