[lame sarcastic stuff]
> There are reasons certain fixes get included in the -stable tree. They
> are aware of these reasons, and the only thing preventing them from
> informing others of these reasons is their own will to do so. We're
> asking them to simply be honest about what was fixed. When they know
> it's a possibly exploitable overflow, they should just say so. Now,
> should all these vendors profiting off Linux and its appearance of
> security (which given Linus' recent statements, I think the public
> should be strongly reconsidering) actually maybe form a group of actual
> security professionals to handle this kind of stuff, instead of
> continuing to say "hey don't be so harsh, we're just really awful at
> this sort of thing...but Linux is still enterprise-grade!"?
Here is an exercise.
Get 2.6.25 => 2.6.26 changelogs and patches.
Write down bugs (just bugs) which make sense to apply to 2.6.25.
To apply in logical sense, not in patch(1) sense.
Scratch those which are already in -stable.
Now extract those which are security-relevant.
Do the same for, say, OpenBSD 4.2 => 4.3.
Do the same for Windows (OK, this is a joke).
Enlightment will come pretty quickly.
> Just as an obvious example to show how incredibly stupid your
> explanation of "logical implications", the fact that the PaX team has
> been pointing out suspicious and exploitable vulnerabilities in each of
> the past half-dozen -stable releases
> hasn't seemed to impact the speed
> of kernel development one iota, let alone "devastate" it. As evidenced
> by several comments on this posting already, people appreciate having
> this information available.
This is something I can't personally understand.
Do those people need word "security" or "buffer overflow" in changelog and
announcement to start kernel upgrade machinery? Given how many commits
don't even reach -stable for PaX guy to whine, they live in some rosy universe.
Not even mentioning occasional incomplete and flatly wrong information
in CVE database.
> I think that view will become even more
> common once people read what Linus is saying (that he doesn't think
> people should be informed of security issues and that the vendors, the
> only people doing such informing, are doing a "crappy" job of it and
> only disclosing a small percentage of vulnerabilities) and realize what
> Linux kernel security in particular is passing for these days.
grsecurity will save us, no worries about that.