LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Stable kernel 2.6.32.8

Stable kernel 2.6.32.8

Posted Feb 10, 2010 23:49 UTC (Wed) by PaXTeam (subscriber, #24616)
In reply to: Stable kernel 2.6.32.8 by dlang
Parent article: Stable kernel 2.6.32.8

> the kernel developers and stable team have decided not to try and judge
> which patches are security fixes and which are merely bugfixes.

you're wrong. they didn't have that decision to make to begin with because they're simply not qualified to make such judgement calls due to lack of expertise. what you wanted to say is that they decided to not share what others tell them about security bugs. we call that a coverup in other areas of life.

> They believe that if they did so, people would only apply the fixes
> marked as security

and they have presented exactly zero evidence for such a belief. not to mention that it's outright insulting to assume that people would be that dumb.

> in addition, they are tired of being harassed about the issue, so now
> they make a point not to call out particular fixes as being security
> fixes.

they are tired of being held accountable for their treatment of security bugs. something proprietary vendors have also had to learn, mind you but they at least did. their reaction is nothing short of 'punishment' of their own userbase, a rather childish attitude at that.

(Log in to post comments)

Stable kernel 2.6.32.8

Posted Feb 11, 2010 2:08 UTC (Thu) by mfedyk (guest, #55303) [Link]

> > They believe that if they did so, people would only apply the fixes
> > marked as security

> and they have presented exactly zero evidence for such a belief. not
> to mention that it's outright insulting to assume that people would
> be that dumb.

There is always someone that dumb (using your term). Look at all of the unpatched windows boxes, or even the uproar over firefox 3.7, err I mean 3.6.37. Also look at the latest hack to get debian stable working for their purpose (I used debian for over 8 years and more than 50% of debian users use debian testing or sid)

Once you come down from your lofty ivory tower, you'll see the reality of the individual that believes they're right, no matter what anyone else thinks.

Stable kernel 2.6.32.8

Posted Feb 11, 2010 10:12 UTC (Thu) by nix (subscriber, #2304) [Link]

Hell, I ran into a Linux box recently at a friend's, on the Internet, running Red Hat 5.0. That's not RH*EL* 5.0 or Fedora 5.0, note: that's Red Hat 5.0. Genuine 1997 vintage 2.0.29-ish kernel and libc5 userspace IIRC, never upgraded. Said friend wasn't even aware it *could* be upgraded. And it was in use as a firewall.

So, no, this sort of thing is not unheard of in the least.

(I dislike automatic upgrades that you can't turn off, but automatic upgrades *by default* seem like a very good idea to me. People who don't know or care about security might be secure-by-default then.)

Stable kernel 2.6.32.8

Posted Feb 12, 2010 0:35 UTC (Fri) by PaXTeam (subscriber, #24616) [Link]

> Look at all of the unpatched windows boxes[...]

it seems you're confused. unlike binary Windows updates, the patches are not useful for end users but rather distro builders, sysadmins and other people maintaining their own kernel (for the better or worse, let's not digress into the costs/benefits of not being on latest -stable). they had better be competent at what they're doing.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds