On 15 Jul 2008 at 18:41, Linus Torvalds wrote:

quoted text
> On Tue, 15 Jul 2008, Tiago Assumpcao wrote:
> > All I ask for is to receive the "There are updates available." message as soon
> > as one security problem is reported, understood and treated by your
> > development part. And that is, the sooner possible, if you please.
> 
> Umm. You're talking to _entirely_ the wrong person.
> 
> The people who want to track security issues don't run my development 
> kernels. They usually don't even run the _stable_ kernels.

how do you *know*?

quoted text
> They tend to 
> run the kernels from some commercial distribution, and usually one that is 
> more than six months old as far as I - and other kernel developers - are 
> concerned.
> 
> IOW, when we fix security issues, it's simply not even appropriate or 
> relevant to you.

why? what makes you think that a bug fixed in 2.6.26 is not relevant to
2.6.20? do you or anyone else personally verify that? color me impressed
if you do that on every single fix you commit.

quoted text
> More importantly, when we fix them, your vendor probably 
> won't have the fix for at least another week or two in most cases anyway.

correct, but also irrelevant, see below.

quoted text
> So ask yourself - what would happen if I actually made a big deal out of 
> every bug we find that could possibly be a security issue. HONESTLY now!

why do you and others keep exaggerating of what is (well, was) expected from
you? what's with this 'big deal' business? can't you image a middle ground
where you simply just state what you know? say, my category 1-2 i talked
about before.

quoted text
> We'd basically be announcing a bug that (a) may not be relevant to you, 
> but (b) _if_ it is relevant to you, you almost certainly won't actually 
> have fixed packages until a week or two later available to you!
> 
> Do you see?
> 
> I would not actually be helping you. I'd be helping the people you want to 
> protect against!

your argument rests on a fallacy that we discussed already but you keep
coming back with it. what makes you think that people exploiting kernel
bugs *rely* on your marking security bugs as such? they do *not*. they
are smarter (read: domain experts) than you or anyone else on lkml. they
will most likely spot the security issue when you *introduce* it, not
when you *fix* it. in other words, you are only helping the attackers by
withholding security information, not your users.

cheers,
  PaX Team

--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/