Kernel.org's road to recovery
Posted Oct 9, 2011 15:22 UTC (Sun) by vonbrand
In reply to: Kernel.org's road to recovery
Parent article: Kernel.org's road to recovery
If you look at any guidelines on secure programming, they are almost identical to "program carefully," only that they emphasize some points. Kernel programing is work that requires utmost care by its nature. Program with care, you should be in the clear. Finding out if some random mistake you notice and fix has security implications is extra, non-productive work.
If you track down some reported bug, your fix will presumably refer to the report (with PoC and security assessment).
In no case are commit comments altered. And I'm convinced that the bugs with known by the commiter only security implications being fixed is a vanishingly small minority. Adding comments detailing how a signedness mistake or a possible wraparound could led to a buffer overflow or other problems later on is pure noise. The fix has to be applied regardless.
to post comments)