> The 'security theatre' I have seen complained about is security people
> asking that lots of extra information be attached to bug fixes that
> takes up developers time and gets in the way of tracking down the
> bizarre corner cases.
nothing of the sort was asked, rather, we asked kernel devs to document with a few greppable words what they already know about the security impact of a given commit (*if* they already know, no need to spend time on figuring it out otherwise). that surely doesn't take up more than a few seconds of typing (or actually, as Linus made it clear that he actively censors such commits, it'd even speed things up).