| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Jul 2008 17:43:15 +0200 From: pageexec@...email.hu To: Greg KH <greg@...ah.com> CC: Tiago Assumpcao <tiago@...umpcao.org>, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, linux-kernel@...r.kernel.org, stable@...nel.org Subject: Re: [stable] Linux 2.6.25.10 On 16 Jul 2008 at 7:43, Greg KH wrote: > On Wed, Jul 16, 2008 at 11:01:51AM +0200, pageexec@...email.hu wrote: > > On 15 Jul 2008 at 20:13, Greg KH wrote: > > > > very good example of how you actually do *not* do what you claim. find me > > the word 'security' in your announcement. it's not there. amazing, isn't it. > > No, it was a consious decision to do just to piss you off, glad to see > it worked :) > > Come on, give me a break, Tiago asked that we do releases as soon as we > know about a security problem. 2.6.25.11 was released because of this, > and all users were told to upgrade. Is the fact that I add the magic > word "security" in a sentance in the email some specific requirement > that will make you happy? it's not about making me happy Greg. i can figure these things out for myself, i do *not* need your help in that. there're many users however who rely on your providing accurate information. announcing a security fix as such is the proper thing to do, i can't imagine how you guys can dance around that simple fact for so long. just look at what your own employer does with security bugs, if they see it fit to mark them as such, how can you possibly argue that you're somehow acting in good faith when you cover them up? will you next tell your corporate bosses that they're bloody idiots that can't tell a bug from a bug and should just omit the word 'security' altogether from future announcements? i didn't think so either. > Take a look at the words I used, if someone can't determine if they > should upgrade or not based on that, your carefully chosen words are *wrong* in fact. exploiting local bugs has nothing to do with having untrusted users in the age of client side exploits. due to your completely mischaracterized description, individual home users may very well feel that they do not need to upgrade, to the delight of the next malware owning their browser. you can congratulate yourself Greg, you successfully misled a whole class of users. > then they need to rely on a company > to provide updates for them, and not be running their own kernels > because they really have no clue about system management. you conveniently failed to respond to the rest of my mail where i showed that Chris Wright, heck, even yourself did announce security fixes as such in the past. how do you explain that? > Bah, what a joke. and i thought i was the one getting pissed ;). cheer up, PaX Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists