Chris Wright has been awfully silent recently. Did everyone forget that it was only a few
weeks ago that Chris Wright had this to say:
"it is not true that we are actively hiding security bugs. Had I realized there was a
security issue, I would highlight it in the announce message. In fact, that's our standard
procedure for -stable."
I don't recall any public announcement of this rather dramatic reversal of policy. Might have
been a good idea to tell people.
Also Greg, you should read my posting on the full-disclosure list regarding your use of the
term "untrusted local users." Your usage of it is simply wrong from a security perspective
and is misleading to users.
"I think the individual developers of the kernel all know quite well what the security
problems for their code are."
You mean the same ones that thought NULL pointer dereference bugs were unexploitable until I
produced an exploit for one that disabled SELinux and then continued to call them
unexploitable over a year later? Those same ones?
Meanwhile it seems like all the kernel developers are coming out of the woodwork echoing
Linus' ridiculous "security bugs are no more important than any other bug" philosophy. It all
seems rather odd, and smells badly of damage control happening behind the scenes, since this
is the first time we've ever heard this from anyone.
What's the matter, Chris? Redhat got you by the tongue?