On Wed, Dec 11, 2013 at 01:00:07PM +1100, Dave Chinner wrote: > On Tue, Dec 10, 2013 at 08:10:51PM -0500, Josh Boyer wrote: > > On Tue, Dec 10, 2013 at 8:03 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote: > > > Security processes are not something that should be hidden away in > > > it's own private corner - if there's a problem upstream needs to > > > take action on, then direct contact with upstream is necessary. We > > > need to know about security issues - even ones that are classified > > > post-commit as security issues - so we are operating with full > > > knowledge of the issues in our code and the impact of our fixes.... > > > > Agreed. I'm going to interpret your comments at being directed to the > > general audience because otherwise you're just shooting the messenger > > :). > > Right, they are not aimed at you - they are aimed at those on the > security side of the fence. I'm tired of learning about CVEs in XFS > code through chinese whispers and/or luck. CVEs for the kernel are almost always "assigned" after the problem is fixed, or when people "notice" something was changed upstream. At that point, there's no need for the original committer to be notified, as there's nothing to do. Anyway, I understand your frustration about CVEs, I don't like them much either, but some people do, so let them deal with them, and don't give them a second thought. greg k-h _______________________________________________ xfs mailing list xfs@xxxxxxxxxxx http://oss.sgi.com/mailman/listinfo/xfs
