"Security problems are just bugs" (2017)
lkml.orgPosting this to remind folks of Linus' and the kernel team's longstanding stance on security vulnerabilities, given the recent CopyFail discussion [1].
The researchers followed the standard disclosure process of 90+30, but distros were not notified. The kernel had a bug, but kernel developers did not (and will not) notify downstream distros.
The real discussion we should be having is: what should be the responsible disclosure process, and who should be accountable for contacting the downstream projects?
And should the Linux kernel be treated differently than other opensource projects? And if yes, where do we draw the line? If, for example, I find a bug in OpenSSL, is it reasonable to expect that I contact every single operating system, device maker, or library developer that packages openssl in their gizmos?