LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: [stable] Linux 2.6.25.10

[Posted July 16, 2008 by corbet]

From:  Linus Torvalds <torvalds-AT-linux-foundation.org>
To:  pageexec-AT-freemail.hu
Subject:  Re: [stable] Linux 2.6.25.10
Date:  Tue, 15 Jul 2008 13:42:58 -0700 (PDT)
Message-ID:  <alpine.LFD.1.10.0807151331110.2867@woody.linux-foundation.org>
Cc:  Greg KH <greg-AT-kroah.com>, Andrew Morton <akpm-AT-linux-foundation.org>, linux-kernel-AT-vger.kernel.org, stable-AT-kernel.org
Archive-link:  Article, Thread 



On Tue, 15 Jul 2008, pageexec@freemail.hu wrote:
> 
> i understand and i think noone expects that. in fact, i know how much
> expertise and time it takes to determine that. but what happens when
> you do figure out the security relevance of a bug during bug submission

The issue is that I think it's then _misleading_ to mark that kind of 
commit specially, when I actually believe that it's in the minority.

If people think that they are safer for only applying (or upgrading to) 
certain patches that are marked as being security-specific, they are 
missing all the ones that weren't marked as such. Making them even 
_believe_ that the magic security marking is meaningful is simply a lie. 
It's not going to be.

So why would I add some marking that I most emphatically do not believe in 
myself, and think is just mostly security theater?

I generally do not remove peoples changelog entries, although I _will_ 
do even that if I think it's just too much of an actual exploit 
description (of course - the patch itself can make the exploit fairly 
clear). So you'll find CVE entries etc in the logs if you look.

But I do hope that anybody who looks for them is _aware_ that it's just a 
small minority of possible problems.

Don't get me wrong - I'm not saying that security bugs are _common_, but 
especially some local DoS thing for a specific driver or filesystem or 
whatever can be a big security problem for _somebody_.

			Linus
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds