Not so fast
Posted Jun 17, 2008 22:04 UTC (Tue) by man_ls
In reply to: Congratulations are in order!
Parent article: Stable kernel 220.127.116.11 released
But wait, you have to realize the consequences of the way advocated by spender and PaXTeam: let us follow the path suggested by nix below. First find a bug, and search for a related vulnerability; then publish it along with an exploit so people take you seriously, and obtain a CVE identifier. That is the moment to send a patch to a public list pointing to the CVE so people can make informed decisions.
Et voilà! You have an unpatched vulnerability (with a published exploit in the wild) on millions of machines worldwide, and everyone who doesn't update their kernels daily is vulnerable. Is this responsible disclosure?
You may think that Linus et al are burying their heads in the sand, but try to picture yourself in their shoes; there is little else they can do but try to raise the bar, however little they can, for exploitation. Occasionally a really serious issue arises with obviously dangerous implications. Such rare events can be disclosed and publicized so hopefully everyone will patch their kernel before an exploit is published, but it cannot be done for every bug with potential security implications (i.e. a hundred times a month). Kernel users would stop paying attention quickly if every esoteric bug was magnified by the maintainers.
to post comments)