LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Quotes of the week

[Posted June 15, 2011 by corbet]

It looks like year after year you guys manage to outdo yourselves in absurdity, one wonders if there'll be a new category needed for this year's pwnie awards because you're likely to no longer fit the lamest vendor response category.
-- "pageexec"

It does look like there are too many problems to actually make it call itself "3.0", and that's sad. That's not an excuse for not trying to get those problems fixed, though.
-- Linus Torvalds prepares for 3.0.0

The full set of patches will be sent, as normal, however they will be delayed by a few hours out of respect for those still awake and trying to get work done.
-- Greg Kroah-Hartman delays the pain into the eastern hemisphere
(Log in to post comments)

Quotes of the week

Posted Jun 16, 2011 6:19 UTC (Thu) by thedevil (subscriber, #32913) [Link]

Apparently I'm not one of the "people" because I compile my own kernels from kernel.org source.

But that's OK, I have long suspected I'm really a walking, chess-playing cat.

Quotes of the week

Posted Jun 16, 2011 9:19 UTC (Thu) by dgm (subscriber, #49227) [Link]

Trying to confuse us? I thought you're thedevil, indeed.

Quotes of the week

Posted Jun 16, 2011 15:47 UTC (Thu) by nye (guest, #51576) [Link]

From the lists I read, the QOTW would have to be Steve McIntyre's response to 'Urgent for Neil Williams' on debian-devel: 
>Sorry to be trying to track you down this way, there's been an electrical
>problem with the feed to your flat, the cable that goes through my kitchen
>caught fire, and we've had to turn off your power.
>Could you please call me, as we need access to your flat to sort out your
>power.

Neil is at home now to deal with this, and has asked me to follow up;
he can't respond directly as he has no power... :-)

Quotes of the week

Posted Jun 17, 2011 12:35 UTC (Fri) by nix (subscriber, #2304) [Link]

So Debian does not give you power, then? ;}

Quotes of the week

Posted Jun 17, 2011 20:01 UTC (Fri) by raven667 (subscriber, #5198) [Link]

I don't see the conflict between pageexec, PaXTeam and other security wonks and the kernel team resolving in an amicable way anytime soon. pageexec is being hostile, accusing Ingo of operating in bad faith when that is clearly not true and is offering a lot of non-constructive criticism of the kernel development process. pageexec seems to be under the misapprehension that the kernel team is some sort of security Illuminati who are aware of the security impact of each of their change sets but are just hiding the truth from the public when all evidence points to them having little to no knowledge of the security impact of their changes.

The kernel team also seems very resistant to the idea of slowing down the bugfix cycle to try and put brainpower on figuring out the security implications of each patch set rather than just fixing bugs and moving on. Pageexec is talking out of both sides of the mouth when stating that changes should have security impact assessed but also that an attempt at full coverage of changes isn't expected. There is no guarantee that a newer kernel fixes more bugs than it introduces although analysis, done by LWN, on bug reports to change sets seems to indicate that bug rates are flat or shallow, they are not being introduced at a rate higher than they are being fixed.

This same argument has played out several times over the years, it doesn't seem that anything has changed.

Quotes of the week

Posted Jun 17, 2011 22:28 UTC (Fri) by jrn (subscriber, #64214) [Link]

> The kernel team also seems very resistant to the idea of slowing down the bugfix cycle to try and put brainpower on figuring out the security implications

To be clear, a lot of the debate has been about whether to include CVE identifiers in the changelog in cases when they have already been allocated at the time the fix is committed. I don't think that would slow anything down.

It seems to me that many kernel developers are resistant to marking security bugs differently (for example using CVE ids) instead of just using Cc: stable. That resistance seems completely reasonable; Cc: stable is better. On the other hand in a previous discussion there was a comment about not always disclosing the motivating impact when fixing a bug that was discovered through a security audit. I hope that doesn't happen often. I understand that the underlying questions (of exploitable bugs and time of disclosure) are kind of ugly.

Quotes of the week

Posted Jun 18, 2011 0:45 UTC (Sat) by nicooo (guest, #69134) [Link]

> The kernel team also seems very resistant to the idea of slowing down the bugfix cycle to try and put brainpower on figuring out the security implications of each patch set rather than just fixing bugs and moving on.

Nobody is asking them to do that, at least not in that post.

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds