Bugs are like mushrooms - found one, look around for more...
-- Al Viro
Maximizing security is hard: whether a bug has security
implications is highly usecase and bug dependent, and the true
security impact of bugs is not discovered in the majority of
cases. I estimate that in *ANY* OS there's probably at least 10
times more bugs with some potential security impact than ever get a
So putting CVEs into the changelog is harmful, pointless,
misleading and would just create a fake "scare users" and "gain
attention" industry (coupled with a "delay bug fixes for a long
time" aspect, if paid well enough) that operates based on issuing
CVEs and 'solving' them - which disincentivises the *real* bugfixes
and the non-self-selected bug fixers.
I'd like to strengthen the natural 'bug fixing' industry, not the
security circus industry.
-- Ingo Molnar
to post comments)