On Fri, 9 Aug 2013 12:30:42 -0700 Greg KH <gre...@gentoo.org> wrote: > ... Just read the commits to find out what is resolved, ... > > ... Because it's extra work that is pointless. ... > > > No classification is done if there is no single command to obtain > > them. > > I don't understand what you mean by this.
What I'm suggesting is based on the need for a digest; we both know, that a lot of people are not going to read every single commit to classify them, if everyone has to do that that causes a lot of double work which could be easily spared out at the source. Alternatively, we are in need of a separate resource outside of the kernel infra that is interested in classifying commits this way, I'm not sure whether there is anybody doing such thing. Well, the CVE's are one such resource; but as you have stated in the other mail they run behind on this, I think that other resources might also be destined to run behind. Therefore I only see doing this at the source to be a more solid approach that doesn't give attackers the extra time while things stay unpatched; so, this a legitimate concern for kernel mantainers in Gentoo as well as server admins in general. Of course our discussion won't make this happen, because you oppose; but I'll try to hear later with the kernel ML what their thoughts are. > The kernel team does not explicitly call out security fixes when they > go into the kernel for a variety of good reasons, all of which have > been argued and debated numerous times for many years. See the > linux-kernel mailing list archives if you are curious, I'm not going > to get into that argument here, except to point out that the current > behavior is probably not going to change. Okay, thanks for the clarifications; I'll try to look for them, failing that I suspect people will refer me to them when I post the proposal. Undoubtedly you heard thoughts similar to the above many times before; but I'm new to this train of thoughts, so I'm unaware of those debates. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
signature.asc
Description: PGP signature
