> because of this good guys need to apply all the patches, not try to
> cherry-pick the ones that they think are 'important'. If they want to do
> so (distros for example), they need to investigate _every_ patch to see
> if it has security implications or not. tagging some of them as having
> security implications strongly implies that ones that are not tagged do
> not have security implications, and that is incorrect.
Realistically, most good guys don't do that. As I mentioned in my previous reply, applying all patches may actually introduce possible instability and/or additional security bugs to the system.
> even if all the commit says is 'this is important for security' the fact
> that the details of the fix are directly attached to the comment makes
> it pretty easy for the bad guy to focus their exploit effort.
Obscurity does not prevent the bad guys from focusing their exploit effort. It only slows them down a little. By making the commit of security-relevant bugs a little more obvious, it may actually reduce the value of these vulnerabilities.