Nvidia Linux driver: Closed source makes open source unsafe

[Dapper Dan]

Just found this if anyone is interested...

[techieMoe]

Key words in the article "could", meaning this is yet another case of a hole that *could* be exploited but *hasn't been* yet. I suppose the cause for concern here is that the piece of software in question is closed-source, meaning we're at the mercy of Nvidia to fix it. Hopefully they will. I agree with the sentiments that closed-source drivers like the Nvidia modules are a problem. However at the moment there really is no other alternative for 3D acceleration.

[Dapper Dan]

This brings up a question I've had for a while.

Regardless of operating system, if security problems aren't reported, how much less of a security issue would they be? The mere fact that it is discovered and reported will certainly give someone the idea to exploit it. Would it be better to report possible security issues as a matter of duty knowing the downside of it is that someone *could* then try to exploit it? Or would it be better not to report it and let it be quietly fixed so there is less chance of that happening? I would think the more who know about a security hole the less time it will take to fix it. If only a few know, it may take considerably longer. which is the better coarse?

[carlosponti]

that is a chicken or the egg debate. think about if not reported someone would ultimately find it that knew how to write exploits and use the exploit suddenly and without warning. with the exploit being published a bunch of script kiddies will try exploiting it some with and some without success.

[Vergil83]

This brings up a question I've had for a while.

Regardless of operating system, if security problems aren't reported, how much less of a security issue would they be? The mere fact that it is discovered and reported will certainly give someone the idea to exploit it. Would it be better to report possible security issues as a matter of duty knowing the downside of it is that someone *could* then try to exploit it? Or would it be better not to report it and let it be quietly fixed so there is less chance of that happening? I would think the more who know about a security hole the less time it will take to fix it. If only a few know, it may take considerably longer. which is the better coarse?

very tricky..... I would say that if you find a security problem report it because chances are someone else find it. However, a think after a few people, the gains of fixing the hole quicker becomes less than the issues of someone making an exploit.

[d38dm8nw81k1ng]

This brings up a question I've had for a while.

Regardless of operating system, if security problems aren't reported, how much less of a security issue would they be? The mere fact that it is discovered and reported will certainly give someone the idea to exploit it. Would it be better to report possible security issues as a matter of duty knowing the downside of it is that someone *could* then try to exploit it? Or would it be better not to report it and let it be quietly fixed so there is less chance of that happening? I would think the more who know about a security hole the less time it will take to fix it. If only a few know, it may take considerably longer. which is the better coarse?

well, the way i see it: if an exploit is made public it effectively becomes "worthless" as the developers are theoretically working on a fix, and workarounds to protect yourself can be found by anyone. also, the fact that it's made public motivates companies to fix it quicker, lest they face public humiliation and outcry. imo, the most dangerous bugs are the undocumented ones.

@techieMoe: the fact that a bug goes unexploited is almost certainly because of the level of knowledge within the linux community coupled with the smaller market share. whilst i don't believe that a higher market share REVEALS more bugs, i do believe that it leads them to be exploited more often.

[bidi]

Well, it's official, the driver is flawed:
http://news.com.com/Exploit+code+pub...3-6126846.html