> * On the one hand, to the taste of a number of security researchers (represented here by one member both significant and vocal ;-) ), mainline (Linus' tree) isn't doing enough for security. On the other hand, to the taste of top kernel devs (represented by at least another significant member here), the grsecurity folks aren't doing much to reduce the gap between mainline and grsecurity. And the status quo is not good for users.
Indeed, the status quo is not good for users. But I don't see how that is the problem of anyone but upstream. I only feel a responsibility toward my own users. Upstream is a lost cause for security, as far as I'm concerned. It's a waste of my time to deal with them and their narrow-minded view of security. If in the future they grow up and deal with security properly, then we'll re-evaluate working with them. As it stands, they continue to have the mentality that security just involves fixing bugs (which fits with the 'a bug is a bug' tautological stupidity).
And as I said earlier, when you go looking for "successes," it's mostly just them accepting trivial one-line patches for security issues found en masse via grep. What happens is quite different when a patch doesn't accompany the vulnerability report. So I reject this entire business of "the grsecurity folks aren't doing much to reduce the gap between mainline and grsecurity" -- it's not our job or what we want to be spending our time on.
> * It's sad that several hundreds low-controversy one-/few-liners from the huge grsecurity patch, which can be imported to mainline more easily than lots of other patches, without demonstrable performance or size penalty, remains developed outside of mainline.
> Dan Rosenberg gets dozens of small patches, mostly fixes for information leaks, committed in mainline and backported to stable. So mainline does pay at least _some_ attention to security, and does prefer smaller patches, too.
They prefer smaller patches, except when they don't. Look at the const patchset. First it wasn't split up enough, they complained, then somehow even though it was split up exactly as they asked, they complained that it was now split up too much. Sorry, but I view it as a failure of Linux if security improvements are dependent upon benevolent individuals with unlimited amounts of time to waste and an iron will.