On Tue, Jul 15, 2008 at 11:24:25PM -0300, Tiago Assumpcao wrote:
quoted text
>> The people who want to track security issues don't run my development  
>> kernels. They usually don't even run the _stable_ kernels. They tend to 
>> run the kernels from some commercial distribution, and usually one that 
>> is more than six months old as far as I - and other kernel developers - 
>> are concerned.
>
> Right *there* is where it is born! Right at your development kernels. It  
> may or may not survive up to the big market. However, being at the  
> source level, it is your duty to a) resolve the source-level issues; b)  
> put affordable efforts in order to prevent one known issue to arrive at  
> the end point.

I don't think we've ever heard any of the distro kernel engineers
complain that there is a problem with how commits are documented in
the upstream source.  Keep in mind, the distro kernels are usually at
least 6-9, to sometimes 18-24 months old.  So many of the security
bugs that show up in the developement kernels simply don't *apply* to
the distro kernels; they security bugs simply aren't present in those
older kernels.

Of course, sometimes there are long-standing bugs.  But I don't think
the distro engineers have been complaining that they aren't finding
out about them because they aren't marked <<------ SECURITY BUG HERE
in big bold letters.

And again, talking about something as if it were their ***duty*** is
not a good way to pursuade people to do things in the open source
world.  The only guaranteed way to get something done in the open
source is to help pay for it, or do it yourself.  Sometimes you can
convince others to do your work for you, but usually that requires
some reciprocity in the long run.

Regards,

						- Ted
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/