On Sun, May 25, 2003 at 09:23:44AM +0200, Christoph Hellwig wrote: > On Sun, May 25, 2003 at 01:11:44AM -0400, Matt Zimmerman wrote: > > > Then read through the prepatch diffs, everything adding checks to > > > ioctl methods or similar is likely one them. > > > > This approach does not scale. > > Right, you got it. Similarly it doesn't scale to announce all these bits. > Just take the latest upstream if you want these kinds of fixes.
No, that is not similar. All those bits are changed by many different people, not one, and even if they weren't, it is easier (by a HUGE measure) for the person who has made the change to announce it to others, as they are already aware and do not need to sift through a single diff, much less the entire kernel tree as you suggested that I do. This is analogous to someone dropping a particular leaf into a huge pile of leaves, and suggesting that it makes more sense for me to search the pile than for them to tell me where they dropped it (or show it to me in the first place). This is not a question of what I want. Either our users need these fixes to maintain the security of their systems (in which case Debian needs these fixes, and they are important enough to be announced publicly), or they do not, and they are not worth talking about. > This is how every bigger upstream (and other projects like OpenBSD) work. Apache? XFree86? KDE? Mozilla? OpenWall? glibc? All of these projects manage to enumerate security fixes. OpenBSD fails miserably in this respect, and makes for an example of how NOT to work with the community on security issues. Their approach is, roughly, "we fixed this a while ago but didn't tell anyone, so you're vulnerable and we're not, ha-ha-ha". -- - mdz
