you were asking for 'signs of active suppression of CVE info'. lack of CVE numbers in commit messages is 'signs' in my book. whether the actual reason was active suppression or something else is something you'll have to research. actually, you can do much better to prove your point: show me the commits that fix all the CVEs not explicitly mentioned in the commit logs. every one of them. if it takes you more than a few seconds then you lost (my bet is on days assuming you even have the knowledge to read and understand kernel code and security bugs). do you understand now why it's important to not cover up security bugs?