LWN: Comments on "A pile of stable kernel releases"

A pile of stable kernel releases

atnot — Mon, 02 May 2022 08:48:44 +0000

I'm somewhat sympathetic to this idea, as not labeling things as security issues can give people a false sense of security. But combined with the cryptic commit messages even fixes for actively exploited vulnerabilities get, it also makes it pretty hard for defenders to track the severity and prevalence of certain bugs and fixes.

"If everything is important, then nothing is", as they say

A pile of stable kernel releases

calumapplepie — Mon, 02 May 2022 06:43:00 +0000

OTOH, Greg holds the position that every kernel bug is a security bug, and that every stable release fixes kernel (and by extension security) bugs

A pile of stable kernel releases

atnot — Wed, 27 Apr 2022 20:55:17 +0000

That is a great demonstration why the Linux policy of not explicitly marking important security fixes is pointless to counterproductive. Defenders don't know whether they need to stand by to patch, while it is absolutely trivial for attackers to notice an irregular release date, do a search through the list of commit authors and find the ones that are from a security researcher.

Through the power of lore.kernel.org, you can even just skip a step and query for patches mentioning say, notable developers from Google Project Zero to receive advanced notification. E.g.: https://lore.kernel.org/all/?q=Jann+Horn+s%3A%5BPATCH%5D+...

A pile of stable kernel releases

calumapplepie — Wed, 27 Apr 2022 15:49:14 +0000

I'm getting "exploit in the wild" vibes from this... that or Greg forgot what day of the week it is, which I do on a regular basis