> Well, kernels are more painful to upgrade than most other software
> (since you pretty much have to reboot).
well, there is ksplice...
> If someone is malicious and knows about what's going on in advance,
> you're stuffed whatever Linus chooses to write in the commit message.
blackhats don't work based off the fix, they work based on the original commit that *introduces* the bug, weeks/months/years before the fix happens (if it happens at all, there's always 0-day out there). and for the people who do work based off the fix, this very bug and its fix is proof that no amount of coverup helps: there're already at least 4 public and 2 private exploits out there for it that i know of. what was the point of the coverup then? it most definitely failed to achieve the goal of "try not to help black hats".
> There are a *lot* of patches going into the kernel each day: without
> a "OOH LOOK, THIS IS FOR HAXXORS" message
at this point *any* commit from Linus directly referencing a non-public message is an immediate red flag. he has achieved the exact opposite he wished for.
> [...]I find it hard to believe that staring at kernel commits is a good way to find vulnerabilities.