LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Here is Linus position on the commit texts

Here is Linus position on the commit texts

Posted Jul 15, 2008 13:39 UTC (Tue) by hmh (subscriber, #3838)
In reply to: Clearly a security hole, but why not call a spade a spade? by epa
Parent article: Stable kernel 2.6.25.11

http://thread.gmane.org/gmane.linux.kernel/701694/focus=706600

Linus Torvalds:

We went through this discussion a couple of weeks ago, and I had absolutely zero interest in explaining it again.

I personally don't like embargoes. I don't think they work. That means that I want to fix things asap. But that also means that there is never a time when you can "let people know", except when it's not an issue any more, at which point there is no _point_ in letting people know any more.

So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.

So there is no "policy". Nor is it likely to change.

Now, it is pretty clear a lot of people don't agree about the there is no _point_ in letting people know any more part, because of security backports or whatever. Otherwise, nobody would be complaining.

Maybe someone wants to take up the "stable security announcement reviewer" and look over all patches for security fixes, documenting that for the stable team through public emails to LKML as a reply to the stable -rc patchsets?

Because otherwise, it is pretty clear it won't be done by the current team. Their priorities lie in bug fixing and development, not security management. Which is fine.

So, will someone whose first priority is security management please step up and start doing the work? All this complaining without any positive action is getting tiresome.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds