LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

what security fix?

what security fix?

Posted Nov 9, 2008 20:31 UTC (Sun) by efexis (guest, #26355)
In reply to: what security fix? by tialaramex
Parent article: Stable kernel 2.6.27.5

You've completely missed the point, which is very very simply, that if there are known security implications regarding a bug, people want to know. We're not talking about putting a risk factor score against every bug so people can weight up how much of a security threat every bug is, that'd quite obviously get silly. We're not talking about studying all the bugs scientifically so we know what the effects and interactions with others are, that would be more work than fixing the things! But, when there already /is/ knowledge about a *specific* bug having security implications, then people want that knowledge shared.

When the e1000 bug hit that bricked peoples network cards, everyone knew about it, which was the responsible thing to do, so people with that card could avoid those releases. Does that mean people expect all bugs to be released with a "chances of destroying your hardware:" score? No. We're talking about sharing any known information. If the information isn't known, then it is outside of the scope of the discussion of what is being asked for.

(Log in to post comments)

what security fix?

Posted Nov 9, 2008 22:40 UTC (Sun) by bojan (subscriber, #14302) [Link]

I think this is the simplest and best explanation of the issue so far. Thanks!

what security fix?

Posted Nov 10, 2008 11:16 UTC (Mon) by tialaramex (subscriber, #21167) [Link]

You should take /that/ complaint to the list of people in the release notes.

Unless you think the Linux kernel should have a policy of not accepting bug fixes if it is suspected that the person who wrote the fix knows more than they're saying about its security implications. In which case, I think you're actually asking for /less security/ although perhaps with a very noble long term goal.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds