>> if you don't want to only apply security fixes to get a secure system,
>> why do you need the big red flag that a patch is a security fix? if you
>> are applying all bugfixes then you will get the security fixes along with
>> everything else.
> You wouldn't want to introduce possible instability to the system by
> applying other non-security fixes and enhancement
and I am saying that trying to do this means that you will miss security fixes becouse at the time they were created nobody realized that they fixed security issues.
becouse of this good guys need to apply all the patches, not try to cherry-pick the ones that they think are 'important'. If they want to do so (distros for example), they need to investigate _every_ patch to see if it has security implications or not. tagging some of them as having security implications strongly implies that ones that are not tagged do not have security implications, and that is incorrect.
even if all the commit says is 'this is important for security' the fact that the details of the fix are directly attached to the comment makes it pretty easy for the bad guy to focus their exploit effort.
I think that the reduction in effort is greater for the bad guys than it is for the good guys.