220.127.116.11 Release notes
Posted Feb 22, 2010 17:32 UTC (Mon) by vonbrand
In reply to: 18.104.22.168 Release notes
Parent article: 22.214.171.124 Release notes
I'm sorry, but I've to side with the developers here.
Just imagine you (as developer) get a bunch of (mostly incomplete, often conflicting) problem reports, and you are at the end able to track down what seems to be the cause. You fix it, and go your merry way chasing the next bug. Or you then sit down trying to organize the whole mess to create an intelligible commit message/impact assesment. Better skip the second part, as it slows down the fixing of bugs. Besides, your assesment could very well be dead wrong (see the oversights in the article for examples), or it might even be that while researching one problem you find (and fix) a completely unrelated issue. Is the poor developer then forced to search all over the reports to check if it fixes something else? This being open source, if somebody wants accurate bug impact assesments, they are more than welcome to contribute the required expertise and manpower to compile and publish them. That this hasn't shown up (only whining that it is not out for grabs) indicates that the need really isn't there...
Bugs are bugs, they need to be fixed. Sure, we know by now that anything that could lead to following a bogus pointer (including NULL), or writing past allocated space, or sloppy locking, among others can lead to security problems, and such patches get priority going to stable. Other stuff can be handled with a more cavalier attitude, as long as it isn't shown that it causes (security) trouble.
I just fail to see what could be gained by labeling some bugs as security-sensitive while others aren't. The labeling won't ever be correct, so your best bet is to apply all patches. If that isn't enough for your level of paranoia, you won't trust the labels anyway, and (re)do the checking. This is quite beside the fact that what would be a mild or nonexistent problem for one configuration might be lethal in another one.
to post comments)