Here is Linus position on the commit texts
Posted Jul 15, 2008 13:39 UTC (Tue) by hmh
In reply to: Clearly a security hole, but why not call a spade a spade?
Parent article: Stable kernel 220.127.116.11
We went through this discussion a couple of weeks ago, and I had absolutely zero interest in explaining it again.
I personally don't like embargoes. I don't think they work. That means
that I want to fix things asap. But that also means that there is never a
time when you can "let people know", except when it's not an issue any
more, at which point there is no _point_ in letting people know any more.
So I personally consider security bugs to be just "normal bugs". I don't
cover them up, but I also don't have any reason what-so-ever to think it's
a good idea to track them and announce them as something special.
So there is no "policy". Nor is it likely to change.
Now, it is pretty clear a lot of people don't agree about the there is no _point_ in letting people know any more part, because of security backports or whatever. Otherwise, nobody would be complaining.
Maybe someone wants to take up the "stable security announcement reviewer" and look over all patches for security fixes, documenting that for the stable team through public emails to LKML as a reply to the stable -rc patchsets?
Because otherwise, it is pretty clear it won't be done by the current team. Their priorities lie in bug fixing and development, not security management. Which is fine.
So, will someone whose first priority is security management please step up and start doing the work? All this complaining without any positive action is getting tiresome.
to post comments)