[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.1.10.0807151832260.2835@woody.linux-foundation.org>
Date: Tue, 15 Jul 2008 18:41:36 -0700 (PDT)
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Tiago Assumpcao <tiago@...umpcao.org>
cc: pageexec@...email.hu, Greg KH <greg@...ah.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [stable] Linux 2.6.25.10
On Tue, 15 Jul 2008, Tiago Assumpcao wrote:
>
> How can I expect one to treat the unknown? If you are not aware of it, you do
> nothing.
Well, some people keep it secret and track it on vendor-sec or similar,
hidden from us.
But then when they are ready to announce it, they want our help to glorify
their corrupt process when they finally deign to let us know. And that
really irritates me.
> All I ask for is to receive the "There are updates available." message as soon
> as one security problem is reported, understood and treated by your
> development part. And that is, the sooner possible, if you please.
Umm. You're talking to _entirely_ the wrong person.
The people who want to track security issues don't run my development
kernels. They usually don't even run the _stable_ kernels. They tend to
run the kernels from some commercial distribution, and usually one that is
more than six months old as far as I - and other kernel developers - are
concerned.
IOW, when we fix security issues, it's simply not even appropriate or
relevant to you. More importantly, when we fix them, your vendor probably
won't have the fix for at least another week or two in most cases anyway.
So ask yourself - what would happen if I actually made a big deal out of
every bug we find that could possibly be a security issue. HONESTLY now!
We'd basically be announcing a bug that (a) may not be relevant to you,
but (b) _if_ it is relevant to you, you almost certainly won't actually
have fixed packages until a week or two later available to you!
Do you see?
I would not actually be helping you. I'd be helping the people you want to
protect against!
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists