lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <487DE856.15132.1EDCDAAF@pageexec.freemail.hu>
Date:	Wed, 16 Jul 2008 12:23:50 +0200
From:	pageexec@...email.hu
To:	David Miller <davem@...emloft.net>
CC:	tiago@...umpcao.org, torvalds@...ux-foundation.org, greg@...ah.com,
	akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
	stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10

On 16 Jul 2008 at 3:08, David Miller wrote:

> From: pageexec@...email.hu
> Date: Wed, 16 Jul 2008 11:49:45 +0200
> 
> > why? what makes you think that a bug fixed in 2.6.26 is not relevant to
> > 2.6.20? do you or anyone else personally verify that? color me impressed
> > if you do that on every single fix you commit.
> 
> Many people who do kernel development do exactly this for the vendor
> they work for.

i know that. but you conveniently skipped what i was replying to, here
it is for proper context:

> IOW, when we fix security issues, it's simply not even appropriate or 
> relevant to you.

i'll ask again: why aren't security fixes that you fix relevant to users
of older kernels (as that's what the topic was)? in other words, Linus was
trying to justify with one more silly reason why security fixe aren't marked
as such. the above basically said 'because they are not relevant to you'
and i asked him why it is so. you're welcome to explain it as well. and no,
vendors having people go through every single commit doesn't answer why you
couldn't make *their* life easier as well by not withholding information.
and not to mentiond a whole world of interested users beyond the commercial
companies that can afford this kind of cost.

> The SCTP socket option overflow fix got into various dist releases not
> by chance and not because of some utterly pointless "security" tag in
> the commit message.

why do you call a security tag 'utterly pointless'? i've heard Linus's
opinion and deconstructed every single one of his 'justifications' so far.
what's yours gonna be?

cheers,
  PaX Team

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ