It's distressing to see so many of the defensive replies above that just entirely miss the
point. Considering how carefully the point has been explained, again and again, it is hard to
see this as anything other than deliberate. I don't see malice, though. Those posting to
insist there is no problem are engaging in wishful thinking, the same wishful thinking as in
our benevolent lkml leaders.
What I would like explained is why the same individuals take other security problems
seriously, but not these. Does it depend on who reported them? (I.e., has Brad reported
spurious holes in the past, leading people to discount his remarks about these cases?) Is
there some implicit maximum number of bugs that may be called out as security holes, per unit
time? Or is a bug that's newer than any released "enterprise kernel" not considered a hole,
because no patches need be released for it?