What you're talking about is commits which lack security impact information.
I explained that commit messages aren't specifically called out as a medium for security
impact information. So it doesn't matter if they don't have security impact information, any
more than it matters if they don't rhyme.
And you've responded to inform me that I "still don't understand" by which, so far as I've
been able to discover you mean simply that I didn't agree with you about how terrible this is.
Candid means frank and open. You may be confused by seeing it used in the context "candid
camera" or "candid photographs" which refer to the fact that the subject isn't aware that
they're being watched and so they act candidly. The developers involved decided /not/ to be
candid about the bug in your example. You're cross about that, we get it. But you still
haven't given me a reason to care.
I've encountered this claim that only a handful of bugs have security impact before. It's
disappointing, particularly when it comes from someone who claims to actually care about
security. I just picked at random a harmless sounding item from the latest stable tree commit
"eCryptfs: remove unnecessary page decrypt call"
... sounds like it's probably a performance fix? Let's take a look. Oh, the bug overwrites
mmap() changes, undoing them. The kernel promises not to do that to you, breaking the promise
converts to a security impact because userspace programs that rely on this promise are now
broken and their security assumptions are violated.