On Fri, Aug 9, 2013 at 4:34 AM, Tom Wijsman <tom...@gentoo.org> wrote: > On Thu, 8 Aug 2013 15:32:45 -0700 > Greg KH <gre...@gentoo.org> wrote: >> On Thu, Aug 08, 2013 at 04:37:32AM +0200, Tom Wijsman wrote: >> > > And what about all of the fixes I merge in, that _are_ really >> > > security fixes, yet we do not want to shout it out to the world >> > > at the moment? >> > >> > For known security bugs, being aware of a fix earlier helps. >> >> I don't understand what you mean here at all. > > Neither do I understand what you mean by not shouting it out; so, > unless you have argumentation to not shout it out, I'm in the belief > that the faster one is able to apply a security fix, the more secure he > is as a result. If not shouting it out makes things more secure, then > please state me how and why; because it only gives attackers more time.
I think that you guys are talking past each other to an extent. My sense is that Greg is using the term security bugs to refer to implementation errors that could be exploited to obtain unintended access to a system. Using this definition, any bug could be a security bug, and figuring this out is about as easy as figuring out whether a particular move is a good or bad one in chess. I think Tom is using the term security bug to refer to a bug that has a published exploit against it (ie a CVE/etc). Using this definition it is clear whether a particular bug is a security bug - it is either in the database or it isn't. I don't follow the kernel closely, but my guess is that they stay well-ahead of CVE most of the time. I'd certainly say that any project should clearly document which releases incorporate fixes to CVEs - perhaps the kernel already does this. Since most bugs get fixed before anybody bothers to file a CVE, I'm not sure how much that actually matters in practice. Frankly with the huge volume of changes and frequent releases I'm amazed the kernel works as well as it does! Greg gave a talk about the rate of change and the implications for those submitting changes recently - I'm sure it is on youtube/etc somewhere. Rich