More seriously, that "circus" issue is really an annoying one and very deeply rooted in the field, I second that. Furthermore, from my own experience (subjective of course), I have to admit that most people with some responsibility (the "bosses") tend to be much more attentive to legal or marketing reasons than to practical/technical ones, from the security-oriented point of view. I am sure even Linus (or myself) can also feel this natural bias. This seems to me the fundamental reason why such theatral activity can exist and persist. And while the circus plays and attract attention in the forefront, technical problems and vulnerabilities bury themselves deeply in the code where they can stay for years and users opportunistically take advantage of the low light to write their passwords on a sheet of paper they "hide" in their wallet.
I have yet to fully understand the reasons for the long lasting existence of all this useless drama. But to me, it seems that this security circus is indeed a reality that we will need to cope with for a long time (from an historical persepctive, it may be that it fades away behind actual action in war times, but that's not a good reason to drop general pacifism... ;-).
So that refusal from the top-level kernel maintainer to play in the security circus sounds as an overall good news to me; but then, how does he want to play the security game (to get practical and continuous improvements to the overall security level of the kernel)?
Note: I certainly have a lot of ideas to propose on this topic: I've just deleted a lot of lines in this comment (the most interesting ones were probably associated to applying Coccinelle to identify missing "consts").
However, the very only comment I want to make is: then, how does Linus want to improve security management of the kernel (assuming he thinks improvements are possible)?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds