On Wed, 2 Mar 2005 15:43:24 -0500 (EST) Robert Brockway <firstname.lastname@example.org> wrote:Well since you don't believe me on this (or other :) issues, read Alan's words: http://lkml.org/lkml/2005/1/13/236What was said elsewhere: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39189593,00.htm was: "Cox said that Torvalds does not always let people know when he has fixed a security bug in the kernel. This can be a problem as the patch will take a while to make it to production, which means that hackers can exploit the vulnerability before it is made available to individuals and enterprises running Linux. "Linus has this bad habit of fixing security holes quietly," said Cox. "This is a bad idea as some people read all the kernel patches to find the security holes.""
Same guy saying the same thing. Big deal. This actually contradicts his first argument that Linus releases code with known security holes. Now Alan is saying Linus fixes security holes and doesn't tell anyone. So which is it? Use your head and think with your own mind. Don't buy into all the things you hear unless you have _actual_ proof that this is the case. The vendors do a lot of work to *stabilize* the kernel but if you think they fix everything (security or otherwise) then you're very naive. Where do you think Debian gets most of it patches from? The -as tree... You need to stop reading all the opinion columns are start reading the kernel list archives. You can follow a different patchset/maintainer who isn't as "on the edge" as Linus. If you don't have the time to do that then you are probably better off with a vendor kernel. If you really want to argue the point, then I'd say that upstream source is more secure then vendor stuff. Pulling from BK gives you that days work. Even if say RedHat finds a security hole, they have to patch it and get it out to the masses. Guess where that code ends up first? Upstream. I'll be able to pull it in before RH even has packages made. A new versioning has been put into effect anyway. The new system will provide end users with a tree that's not so volatile and makes the vendors life easier. -Eric -- "Education is what remains after one has forgotten everything he learned in school." - Albert Einstein
Description: OpenPGP digital signature