lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 11 Jun 2008 01:10:56 +0200
From:	Willy Tarreau <w@....eu>
To:	Chris Wright <chrisw@...s-sol.org>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Linux 2.6.25.6

On Tue, Jun 10, 2008 at 01:12:23PM -0700, Chris Wright wrote:
> * markus reichelt (ml@...eichelt.de) wrote:
> > * Henrique de Moraes Holschuh <hmh@....eng.br> wrote:
> > > On Mon, 09 Jun 2008, Chris Wright wrote:
> > > > We (the -stable team) are announcing the release of the 2.6.25.6
> > > > kernel.
> > > > 
> > > > It contains a number of assorted bugfixes all over the tree.  Users are
> > > > encouraged to update.
> > > 
> > > It also contains at least one security bugfix, as some were quick
> > > to point out in not-so-kind words:
> > > 
> > > http://lwn.net/Articles/285438/
> > 
> > I agree that security bugfixes should be pointed out more clearly.
> 
> I don't think anybody is disagreeing with that.  It's not always
> obvious to bug submitters or fixers what the security implications are.
> While Brad has a good point, esp. w.r.t. the specific cpufreq bug he
> picked out having security implications, it is not true that we are
> actively hiding security bugs.  Had I realized there was a security
> issue, I would highlight it in the announce message.  In fact, that's
> our standard procedure for -stable.

I second this Chris. When I merge a fix into 2.4, I generally wait
for -stable to release it so that I can reuse the same message and
subject which already includes the reference to the vulnerability
if any.

I don't like obfuscation at all WRT security issues, it does far more
harm than good because it reduces the probability to get them picked
and fixed by users, maintainers, distro packagers, etc...

It's a shame that Brad does not post here, he could have yelled
during the review phase in order to get more explicit changelogs.
*that* would have served a useful purpose. Whining afterwards is
useless though :-/

Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ