> not all patches that have security implications are known at the time they are created
so far so good.
> so if you only install fixes that were tagged as security fixes, you
> will miss other fixes that have security implications because those
> implications were not known at the time they were written, and so they
> were not tagged.
now, following this logic, noone will ever be able to apply all security fixes since the security impact of a given commit may reveal itself any time in the distant future. therefore everyone who applies anything (tagged or not) is in a constant state of 'not tagged as being a security fix, then it doesn't have security implications'. IOW, i don't see the usefulness of your statement, it looks like a tautology.
> what decreases security is the attitude that if it's not tagged as being
> a security fix, then it doesn't have security implications.
why does it decrease security?
and since you've just established that everyone can only do selective backporting, regardless of commits being tagged with whatever or not, this attitude is seemingly prevalent, even you suffer it yourself, so why does it matter again?
> And if even you are making the mistake that tagging known security fixes
> means that other fixes don't need to be applied (on the basis that they
> don't have security implications),
actually, i don't make that mistake, in fact, i don't see it as a mistake and you have yet to explain *why* it is a mistake at all. for a start, your acknowledging that fixing a security bug doesn't decrease security means that you're already in contradiction.
> then you have just proven the case that many of the kernel developers
> are trying to make, that tagging some patches as security related will
> cause people to ignore the others and have less security than updating
> to a newer version with all of the fixes
this one bleeds from several wounds, i'm afraid:
1. you haven't shown evidence that people are actually ignoring anything else but explicitly marked security fixes (i think i asked this one before ;).
2. you haven't shown evidence that ignoring anything but explicitly marked security fixes is a bad thing (you actually acknowledged that it's not, now what ;).
3. you haven't explained what 'all of the fixes' means. you and others already said that *everything* not proven otherwise is a security fix therefore the same everything must be backported by everyone who cares which in practice is possible only by following linus's git HEAD. i bet even you don't dare to do that to your company's servers (i actually wonder what you do given that you don't use -stable either).
4. you haven't shown evidence that *not* ignoring (i.e., backporting) random unmarked paches increases one's security/etc. you see, all those security and other fixes are the result of some *earlier* change that *introduced* the problem, so you'd have to somehow prove that the net result of backporting everything under the sun (i.e., following git HEAD) is positive, not negative.