LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Kernel.org's road to recovery

Kernel.org's road to recovery

Posted Oct 10, 2011 14:43 UTC (Mon) by PaXTeam (subscriber, #24616)
In reply to: Kernel.org's road to recovery by vonbrand
Parent article: Kernel.org's road to recovery

you're talking about possible lifetimes of security bugs, i specifically talked about the ones whose security impact is known *before* any fix gets committed. the problem with such fixes is that their commit message tends to not mention that little fact. and no, such information doesn't belong to any other tree first than the one where said fix is committed. do you understand the problem now?

> For me it is enough that the bug got fixed, and move on.

how do you know when a security bug gets fixed when such information is covered up? have you got some psychic abilities or other channels that mere mortals are not privy to?

> Sure, security fixes should be backported.

yes, if you know which commits fix security issues. you too can point out every single commit that has a CVE but isn't mentioned in the git commit log. you see, if you can't find them, then how could others?

> You know what, that is what the -stable trees are for...

wait, are you saying that the -stable trees contain all the CVEs that are missing in the Linus tree (since the importance of the backported commits must be known by then)? can you back it up with actual numbers? ;)

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds