Re: [stable] Linux 2.6.25.10

[Tiago Assumpcao <tiago@assumpcao.org>]

Linus Torvalds wrote:
> 
> On Wed, 16 Jul 2008, pageexec@freemail.hu wrote:
>> you should check out the last few -stable releases then and see how
>> the announcement doesn't ever mention the word 'security' while fixing
>> security bugs
> 
> Umm. What part of "they are just normal bugs" did you have issues with?
> 
> I expressly told you that security bugs should not be marked as such, 
> because bugs are bugs. 
> 
>> in other words, it's all the more reason to have the commit say it's
>> fixing a security issue.
> 
> No.
> 
>>> I'm just saying that why mark things, when the marking have no meaning? 
>>> People who believe in them are just _wrong_.
>> what is wrong in particular?
> 
> You have two cases:
> 
>  - people think the marking is somehow trustworthy.
> 
>    People are WRONG, and are misled by the partial markings, thinking that 
>    unmarked bugfixes are "less important". They aren't.
> 
>  - People don't think it matters
> 
>    People are right, and the marking is pointless.
> 
> In either case it's just stupid to mark them. I don't want to do it, 
> because I don't want to perpetuate the myth of "security fixes" as a 
> separate thing from "plain regular bug fixes".
> 
> They're all fixes. They're all important. As are new features, for that 
> matter.
> 
>> when you know that you're about to commit a patch that fixes a security 
>> bug, why is it wrong to say so in the commit?
> 
> It's pointless and wrong because it makes people think that other bugs 
> aren't potential security fixes.
> 
> What was unclear about that?
> 
> 		Linus

For all the above: no. And this is the point of divergence.
For you, as a person who "writes software", every bug is equivalent. You 
need to resolve problems, not classify them.

However, as I previously explained [http://lkml.org/lkml/2008/7/15/654], 
security issues are identified and communicated through what can be a 
long and complicated (due to DNAs, etc.) process. If it culminates at 
implementation, without proper information forwarding from the 
development team, it will never reach the "upper layers" -- vendors, 
distributors, end users, et al.

Therefore, yes, it is of major importance that you people, too, buy the 
problem and support the process as a whole. Otherwise... well, 
otherwise, we're back to where we started, 20 years ago. Good luck Linux 
users.

--t