Re: RFC: Starting a stable kernel series off the 2.6 kernel

From: Florian Weimer
Date: Mon Dec 05 2005 - 19:10:12 EST


* Bernd Petrovitsch:

> On Tue, 2005-12-06 at 00:00 +0100, Florian Weimer wrote:
> [...]
>> fixes (and other critical bug fixes). For picking functionality, I
>> agree, but critical bug fixes which basically affect everone are a
>> different matter. It doesn't make sense to redo the same analysis
>> over and over again, at each vendor.
>
> Then vendors should cooperate/collaborate. Where's the problem?

Usually, publicly visisble security bug handling is not separated from
the main development effort, especially if there is already a
centralized team for that purpose.

It's also a waste of resources if someone with no detailed knowledge
of the first analysis (which was made when the bug was fixed) or the
source code in question has to redo the whole analysis, just to pick
up the correct patches and classify the vulnerability. If you
duplicate the work just once, things are a bit better, but it's still
a waste of resources, and people not familiar with the code tend to
make more mistakes.

It's not that there isn't any cooperation, either. As far as I can
tell, it's possible to get most insider know-how on vulnerabilities
once it is published. It's just more time-consuming than necessary.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/