An important set of stable kernel updates

Posted Oct 21, 2016 0:02 UTC (Fri) by robert_p (guest, #110578)
In reply to: An important set of stable kernel updates by spender
Parent article: An important set of stable kernel updates

> but that LWN and others have effectively given upstream a pass on this? [...]
> If people don't see this as the worst handling possible of the most severe Linux kernel vuln to date, there's no hope for any of you

I guess you're addressing the responsible kernel devs, but among users, admins, hobby-devs, hackers etc there are way more people who fully agree with your sentiment on those issues than you're probably aware of. Of course effectively that doesn't change anything as long as the more influential kernel developers and Linus himself don't change their demeanor but you're often writing from the perspective of somebody who's not heard or taken seriously. While understandable, I just wanted to use this platform to say that I fully agree with everything you wrote above and I think a ton of people 'out there' do as well and are thankful for your work, as well as for being a loud voice for this issue.
However, I assume there isn't much somebody who's not employed to work on the kernel or has a significant role in its development can do, right? Other than speaking out about those things I can't think of ways to influence the old guard, and since even respected experts are ignored that's certainly not much.

An important set of stable kernel updates

Posted Oct 21, 2016 2:11 UTC (Fri) by spender (guest, #23067) [Link] (1 responses)

That's the problem I think -- if there are all these voices that agree, I certainly haven't heard them, and definitely not on this site. You can go back to around 2005 or so I think when we first started pressing the issue about the disconnect between the "full disclosure" policy mentioned in Documentation/SecurityBugs vs the obfuscation practices of mainly Linus and Greg (which then became an example for other upstream developers) after Chris Wright stopped being involved in the stable kernels. I don't know how to explain the responses we got to what we were saying at the time, people were incredulous, kept coming up with excuse theories of their own as to why this information wasn't being provided instead of the facts staring them in the face, or resorting to some strawman about how we were demanding info on vulns upstream knows nothing about, and how that would destroy development speed. You can see one example of that in the link I posted actually, and the same stuff was repeated over and over again. At some point, after Linus admitted in public he's intentionally obfuscating commit messages, people needed some way to deal with the cognitive dissonance, but instead of admitting being wrong, they bought into this naive "a bug is a bug" mantra to justify the behavior. Most others simply didn't speak up at all, minus a handful of people I recall every now and then -- anyone remotely involved in upstream work (I recall Willy and Eugene) basically shut up about it after Linus and Greg repeated their views a few more times in an authoritative way (or maybe they got tired of complaining to a brick wall). I think with people not having the courage to stand up to Greg and others who in nearly every facet are very much about asserting the status quo (Linus' comments on security at every conference in the past decade or so are basically a repeating of the same few sentences), upstream becomes convinced their view is right, that the suppressed dissent is tacit assent.

-Brad

An important set of stable kernel updates

Posted Oct 21, 2016 13:39 UTC (Fri) by ppel512 (guest, #111882) [Link]

The voices are out here. But like Lionel says what is the point of "nobodies" like us shouting about it when the upstream devs have demonstrated that they don't care anyways.We're running over 45,000 instances of linux inside our business and due to the way this release was obfuscated and mishandled we've just gone through a hellish night of "patch and roll everything". There are real world consequences to the decisions being made that you are so passionate about and we are super thankful you are out here screaming what we would only be able to quietly whisper.