read his mails and my responses, it's all in there. basically, he said
so himself that he knowingly withholds information. no matter how you spin
that, that's not full disclosure. note that i'm not advocating for using
that disclosure policy for kernel bugs, it's what *you* guys chose and
i'm just asking why you're not practicing it. you're also free to change
to something else, just don't forget to tell the world about it.
that doc says full disclosure, it doesn't say 'but withholding this
or that'. if you don't know what 'full disclosure' means then you're
welcome to ask on proper security mailing lists such as bugtraq or
dailydave or, why not, the list named after this very policy.
yes, you should include that at least. i didn't say that btw, your fellow
-stable maintainer did:
Had I realized there was a security issue, I would highlight it in the
announce message. In fact, that's our standard procedure for -stable.
(http://lkml.org/lkml/2008/6/10/328)
the 2.4 maintainer agreed with him:
I don't like obfuscation at all WRT security issues, it does far more
harm than good because it reduces the probability to get them picked
and fixed by users, maintainers, distro packagers, etc...
(http://lkml.org/lkml/2008/6/10/452)
i think you're outgunned here Greg. and no, i'm not upset (after all, i'm
the one catching you cover up security bugs, right? you're not hurting me),
but more and more of your users are.
no, that doesn't really belong there but it's a nice addition for certain
people.
Greg, instead of pretending to be surprised and upset or whatever, go
read the whole thread first.
cheers,
PaX Team
--
