Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Quotes of the week
Posted Jul 5, 2012 9:01 UTC (Thu) by PaXTeam (subscriber, #24616)
> "when fixing a bug, be sure to describe the end-user impact of that bug".
> Then others will have a chance of deciding whether the fix should be backported.
so does security impact end-users? one of these days kernel devs should really make up their mind.
Posted Jul 5, 2012 10:26 UTC (Thu) by liljencrantz (subscriber, #28458)
Also please not that the kernel community is not a uniform hive mind, I can't remember reading any posts from Andrew Morton specifically in favor of the "Obfuscate commit messages for security patches"-policy.
Posted Jul 7, 2012 9:15 UTC (Sat) by PaXTeam (subscriber, #24616)
what are these 'different channels' and why would they ensure reliable backports of security fixes? and doesn't this contradict the 'bugs are just bugs' mantra? ;)
> That doesn't mean the current security policy is the best one, but at
> least it should not *systematically* drop security patches.
as for what's (not) getting *systematically* dropped, look at the fixes that spender backports into grsecurity, *systematically*. calling the 'current security policy' as not the best one is quite an understatement.
> [..]I can't remember reading any posts from Andrew Morton specifically
> in favor of the "Obfuscate commit messages for security patches"-policy.
that's because he didn't say anything, pro or contra. which is quite a shame because there're clearly signs that not everyone agrees with the current policy (just observe LWN's own article earlier this year) yet there're no discussions (in public) about it.
PS: the latest and greatest just in: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;...
'Hold a file reference in madvise_remove' is the what, not the why. at least the actual commit message contains a greppable keyword or two so everyone not otherwise paying attention knows what's just happened again (even though use-after-free is a far cry from 'exploitable by unprivileged users', something that should have been mentioned per Andrew's complaint, and no, a CC to stable@ does not an explanation make). good show guys, keep ridiculing yourselves.
Posted Jul 10, 2012 6:14 UTC (Tue) by malor (subscriber, #2973)
Only write it in crayon unless it's security related, and might actually HURT someone. If your bug means that someone could get hacked -- which, in the era of governments actively cyberattacking their own citizens, means they could be arrested and tortured and/or executed -- well, in that case, of course you should hide it. The last thing they need to know is that using your software could kill them.
But, as long as the bug isn't *serious*, then, yeah, write it in crayon. You can pretend to be honest, without having to deal with that pesky embarrassment stuff.
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds