On Tue, Jun 10, 2008 at 01:12:23PM -0700, Chris Wright wrote:
quoted text
> * markus reichelt (ml@mareichelt.de) wrote:
> > * Henrique de Moraes Holschuh <hmh@hmh.eng.br> wrote:
> > > On Mon, 09 Jun 2008, Chris Wright wrote:
> > > > We (the -stable team) are announcing the release of the 2.6.25.6
> > > > kernel.
> > > > 
> > > > It contains a number of assorted bugfixes all over the tree.  Users are
> > > > encouraged to update.
> > > 
> > > It also contains at least one security bugfix, as some were quick
> > > to point out in not-so-kind words:
> > > 
> > > http://lwn.net/Articles/285438/
> > 
> > I agree that security bugfixes should be pointed out more clearly.
> 
> I don't think anybody is disagreeing with that.  It's not always
> obvious to bug submitters or fixers what the security implications are.
> While Brad has a good point, esp. w.r.t. the specific cpufreq bug he
> picked out having security implications, it is not true that we are
> actively hiding security bugs.  Had I realized there was a security
> issue, I would highlight it in the announce message.  In fact, that's
> our standard procedure for -stable.

I second this Chris. When I merge a fix into 2.4, I generally wait
for -stable to release it so that I can reuse the same message and
subject which already includes the reference to the vulnerability
if any.

I don't like obfuscation at all WRT security issues, it does far more
harm than good because it reduces the probability to get them picked
and fixed by users, maintainers, distro packagers, etc...

It's a shame that Brad does not post here, he could have yelled
during the review phase in order to get more explicit changelogs.
*that* would have served a useful purpose. Whining afterwards is
useless though :-/

Willy

--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/