Let me make this clear: upstream collectively doesn't even have the common sense to acknowledge the existence of security bugs. The 'security circus' is a nice red herring to divert the blame for why Linux security is so atrocious. Maybe seven years ago you could complain about the one or two companies that embargoed vulns to make a name for themselves, but even then it would have been a poor excuse (again that anyone but upstream itself is somehow responsible for upstream's security). I hate to tell you, but those companies are long gone, and there's now nobody in the industry embargoing bugs for fame or anything else you attribute to this 'security circus.' Only notable exception being ITL with the stack/heap gap issue, though you were already notified about that in a 2005 presentation and did nothing about it; so sorry, you lose the ability to complain. That neither Linus nor anyone else has noticed this just illustrates how out of touch with the real world you all are. All you have now is people *volunteering* to try to fix things, and upstream acting like a bunch of idiots. Do you want a medal or something because upstream accepts submitted patches for trivial vulnerabilities found by volunteers? That's hardly a measure of success.
Complain about the 'security circus' all you want, this mythical boogieman that somehow magically prevents you from making any security improvements of your own, but until upstream takes a serious approach to security, I'm afraid the joke is on you. Distros taking a month to release updated kernels for vulnerabilities that only require reusing some of my enlightenment code to exploit is ridiculous. Time and again you have vulnerabilities capable of weaponized public exploits on day one; how many more years will it take for upstream to realize this is a serious problem worthy of actual attention?
Until then, keep up your "de-pessimizing" strategy to security: https://patchwork.kernel.org/patch/276921/
BTW, if I wanted to check for the existence of parasitic security poseurs, I'd probably look for more posts from this guy: http://lkml.org/lkml/2010/11/4/335
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds