Stable kernel 126.96.36.199
Posted Feb 10, 2010 22:25 UTC (Wed) by vonbrand
In reply to: Stable kernel 188.8.131.52
Parent article: Stable kernel 184.108.40.206
OMG, not this nonsense again...
Work flow is that somebody notices a bug, and fixes it. Somebody else (stable team) goes through the set of patches and picks those they consider "important enough" and "non-intrusive" to include in the next point release. Here "important enough" certainly includes potential security problems, but nobody goes through the (not trivial) work of checking if it is a real security problem or just a "can't ever happen, but the code is badly written anyway" or even creating an exploit. In parallel, somebody figures out something is a (potential) security problem, and gets it a CVE number. There is no connection between the commit fixing the problem (which is probably taken almost verbatim from vanilla, just to be on the safe side) and any CVE announcement and/or exploit writing. Ergo, that information rarely (if ever) shows up in changelogs.
This is not some world-wide conspiracy to hide security problems, the kernel's developers are doing their best to fix known problems (which includes security problems). Want a more stable, secure system? Then you have to check it more (you are certainly welcome to help out) and/or beat more on it (i.e., wait longer while testing and looking it over).
Perhaps the tools should be enhanced so PaXteam (or others) can publish annotations to the commits in the stable (or even vanilla) kernel tree (without touching the originals) tieing the commits to whatever CVE or other anntotations they deem appropiate.
to post comments)