> I imagine this is because the bad guys must be assumed to read the
> commit logs too, before releases are made,
this mentality is called security by obscurity. congratulations for having made the basic
mistake in computer security ;-).
more seriously, you're saying that the bad guys in desperation read commit logs and use the
little time between that and the actual release/widespread adoption to exploit the holes (that
takes some skill in case of kernel bugs), because the same (skilled) bad guys are unable to
find exploitable bugs themselves? do you have the *slightest* evidence to support this view
(yeah i was paraphrasing, hope you got the point and won't get sidetracked in my choice of
second, what about the good guys who need to know the same information (think IDS/IPS vendors
for one, then the many trees tracking that of Linus and trying to keep their side secure)? oh
yeah, the two sides of the coin. the problem is that you, the ultimate end user and most
affected person didn't get to flip it. maybe you personally don't want to, but there're many
others who do.
third, about this particular commit: why does it make sense to mention the DoS at all then?
don't you think it draws attention from the bad guys who can sniff an exploitable bug where
others smell a DoS only? wouldn't it have been better (from your point of view, that is) to
simply not mention anything at all? i think your imagination needs a little more consistency.
last but not least, now that you're done using your imagination, will you actually try to do
something to figure out what's really going on? you know, talking here won't get you far, your
answers are in the mailing list archives.