Stable kernel 2.6.25.11 [LWN.net]

Stable kernel 2.6.25.11

Posted Jul 15, 2008 23:15 UTC (Tue) by adobriyan (guest, #30858)
In reply to: Stable kernel 2.6.25.11 by spender
Parent article: Stable kernel 2.6.25.11

[lame sarcastic stuff]

> There are reasons certain fixes get included in the -stable tree.  They
> are aware of these reasons, and the only thing preventing them from
> informing others of these reasons is their own will to do so.  We're
> asking them to simply be honest about what was fixed.  When they know
> it's a possibly exploitable overflow, they should just say so.  Now,
> should all these vendors profiting off Linux and its appearance of
> security (which given Linus' recent statements, I think the public
> should be strongly reconsidering) actually maybe form a group of actual
> security professionals to handle this kind of stuff, instead of
> continuing to say "hey don't be so harsh, we're just really awful at
> this sort of thing...but Linux is still enterprise-grade!"?

Here is an exercise.

Get 2.6.25 => 2.6.26 changelogs and patches.

Write down bugs (just bugs) which make sense to apply to 2.6.25.
To apply in logical sense, not in patch(1) sense.

Scratch those which are already in -stable.

Now extract those which are security-relevant.

Do the same for, say, OpenBSD 4.2 => 4.3.

Do the same for Windows (OK, this is a joke).

Enlightment will come pretty quickly.

> Just as an obvious example to show how incredibly stupid your
> explanation of "logical implications", the fact that the PaX team has
> been pointing out suspicious and exploitable vulnerabilities in each of
> the past half-dozen -stable releases

> hasn't seemed to impact the speed
> of kernel development one iota, let alone "devastate" it.  As evidenced
> by several comments on this posting already, people appreciate having
> this information available.

This is something I can't personally understand.

Do those people need word "security" or "buffer overflow" in changelog and
announcement to start kernel upgrade machinery? Given how many commits
don't even reach -stable for PaX guy to whine, they live in some rosy universe.

Not even mentioning occasional incomplete and flatly wrong information
in CVE database.

> I think that view will become even more
> common once people read what Linus is saying (that he doesn't think
> people should be informed of security issues and that the vendors, the
> only people doing such informing, are doing a "crappy" job of it and
> only disclosing a small percentage of vulnerabilities) and realize what
> Linux kernel security in particular is passing for these days.

grsecurity will save us, no worries about that.

(Log in to post comments)

Stable kernel 2.6.25.11

Posted Jul 16, 2008 0:05 UTC (Wed) by spender (subscriber, #23067) [Link]

Is any distribution shipping 2.6.25.11?

When a new stable kernel is released, do they push out binaries for that new kernel, for all
.x.y releases?

You know the answer to this, so I think it's you who is living in a "rosy universe" and
pretends that Linux users are using the vanilla "stable" kernel and upgrading to each new one
for the week.

And yes, people do need those words.  They're the same words everyone else uses and expects to
be used.  Do you think Microsoft could get away with the ridiculous idea that security bugs
are just bugs?

I guess in your "rosy universe" if on Patch Tuesday, a list of 10 patches was presented to a
user with descriptions like "fixed bug" they'd terminate any critical processes running and
upgrade their hundreds of machines immediately.

-Brad

Stable kernel 2.6.25.11

Posted Jul 16, 2008 0:38 UTC (Wed) by adobriyan (guest, #30858) [Link]

> I guess in your "rosy universe" if on Patch Tuesday, a list of 10 patches
> was presented to a user with descriptions like "fixed bug" they'd terminate
> any critical processes running and upgrade their hundreds of machines
> immediately.

Kindly keep your guesses inside yourself.