Quotes of the week

So I think a lot of the kernel's commit message obfuscation and unusual disclosure ideas stem from a sort of collective sigh and desire not to join the circus of security performers. They'll commit the fix, because that's the sensible thing to do from a development perspective and doesn't make a difference anyway, as LTS and distro kernels come with their own long delays. And they'll talk to you privately under an "embargo" for a little bit if you want, so that you don't go berserk that they're not "taking seriously" your beautiful vulnerability. (Also IIRC, OpenBSD won't even pay lip service to embargoes...) But mostly this is designed around that collective sigh, made to minimize drama and maximize productivity in actually getting fixes committed and deployed.

By delaying a small bit of time from publicly posting a patch to telling the world that "hey, that was a security fix over there" that allows the community that works in the public added time for review and testing as our testing infrastructure that is NOT public is quite limited and reviews are limited given the huge range of needed developers to do that review.