i don't think i ever talked about malice, what i did say was dishonesty (they're not the
same). dishonesty about having a commitment to the public yet doing something else behind the
scenes. no bad ill is required for such behaviour, my *guess* is that it's normal human
psychology: you don't need to deal with the problems you don't admit you have. just look at
last week's LWN interview with Andrew Morton (he's fully aware of what's going on on the
security lists) and how he downplays the problem of security bugs, almost as if they were on
the verge of dying out because they're in fringe driver code and so rarely in core code. yeah,
of course they're rare if they don't publish the security impact of those bugs. watch this
That being said, I have the impression that most of our "security holes"
are bugs in ancient crufty old code, mainly drivers, which nobody runs
and which nobody even loads. So most metrics and measurements on kernel
security holes are, I believe, misleading and unuseful.
of course said "metrics and measurements" are "misleading and unuseful" if the kernel devs
falsify the input data.