> We applied fixes for all the security bugs in the system.
no, you did not, you said so yourself. what you did apply was fixes for a subset of problems in the system but most definitely not all, that's all i was trying to highlight. once more: when there're dependencies in a complex system you can't just arbitrarily ignore them when evaluating bugs and fixes (or any kind of change actually).
> a bug is a "security bug" if a perfect person would have identified it as such,
is that supposed to quote me or is it your opinion? because it's most definitely not true. not only because there's no such 'thing' as a 'perfect person' but also because what's one person's security bug may very well be another's feature. just read fandingo's post below.
> and if anyone fails to identify a bug as a security bug when it has
> security implications, they're engaged in a conspiracy.
same question, are you trying to misattribute something to me or just voicing your own opinion? because it's wrong again, failing to identify the securiy impact of a bug is not a problem per se (or rather, it's a different problem, something i am *not* discussing here at all). what *is* a problem is when the person committing the fix knows the security impact but fails to disclose it. for the circumstances of this bug see http://seclists.org/fulldisclosure/2012/Jan/400 in case you missed it when i posted it the first time. Linus (and everyone on the kernel security list) was provided not only with the description of the bug and its security implications but also a working exploit *yet* nothing remotely related to the security consequences was mentioned in the commit. *that* is a coverup, no matter how you'd like to dance around it.
> [...]that this is a sensible bugfix to apply in isolation[...]
you didn't understand a word of what i said i guess, because the above is *wrong*. when you talk about the security of the *system* (as you were), you *must* consider the *system* when evaluating any change to it (be that a security fix or something else), not some parts of it you happen to like because you think it serves your argument. btw, it doesn't help when you use the same words (fix, bugfix, etc) for referring to different things in the same paragraph.
> Or are you saying that the distros shipping the patch as a "security
> fix" aren't being honest when they say it fixes a security problem?
huh, where the heck did you get this from? citation needed. i think you're seriously getting lost in your arguments, you're mixing up arguing for different things and the end result is quite a mess... can you perhaps write your ideas down in simple 'isolated' sentences so that i know what's what?
> did the fix commit simply occur before the fixer realised there were
> serious security implications to the fix?
Linus knew full well the implications, read above. now what? ;)
> And can you and nye stop disagreeing about what's going on, please? Make
> up your mind about what you're talking about. ;)