Yes, nix, you've really explored the depths of the logical implications of what we're trying
to get accomplished.
I don't want to blow your mind or anything, but I'll try in a paragraph or so to catch you up
to speed with what's been going on with "computers" in the past couple decades or so.
See, some time ago, somebody thought it would be a good idea to create something called a
"text editor." An ingenious invention at the time, certainly, and you'd be surprised to know
that they're still in use today! In fact, these "text editors" have made their way into other
common applications, like those used to read electronic mail (what we nowadays call e-mail).
If you're unfamiliar with these "text editor" contraptions, they allow you to edit text, copy
and paste text, and other such advanced procedures.
An interesting fact is that these "text editors" can indeed be used to *compose* electronic
mail messages. For example, maybe a person would be writing an email which contains the
changelogs for a particular version of the Linux kernel. With these newfangled "text editors"
one can modify these changelogs quite easily to add any additional information they choose to
include! I know back in the day this may have been a long and laborious process, what with
all those punch cards and driving to the residence of the recipient to deliver them, but
surprisingly this task now takes much less time!
There are reasons certain fixes get included in the -stable tree. They are aware of these
reasons, and the only thing preventing them from informing others of these reasons is their
own will to do so. We're asking them to simply be honest about what was fixed. When they
know it's a possibly exploitable overflow, they should just say so. Now, should all these
vendors profiting off Linux and its appearance of security (which given Linus' recent
statements, I think the public should be strongly reconsidering) actually maybe form a group
of actual security professionals to handle this kind of stuff, instead of continuing to say
"hey don't be so harsh, we're just really awful at this sort of thing...but Linux is still
enterprise-grade!"? Sure, it would be nice, but one problem at a time.
Just as an obvious example to show how incredibly stupid your explanation of "logical
implications", the fact that the PaX team has been pointing out suspicious and exploitable
vulnerabilities in each of the past half-dozen -stable releases hasn't seemed to impact the
speed of kernel development one iota, let alone "devastate" it. As evidenced by several
comments on this posting already, people appreciate having this information available. I
think that view will become even more common once people read what Linus is saying (that he
doesn't think people should be informed of security issues and that the vendors, the only
people doing such informing, are doing a "crappy" job of it and only disclosing a small
percentage of vulnerabilities) and realize what Linux kernel security in particular is passing
for these days.