I see https://bugs.chromium.org/p/project-zero/issues/detail?id=1633 … was finally published today despite public commits existing for weeks. Thanks to @tehjh and Google's Project Zero for enabling Linus' silent fix commit messages to ensure only our customers get fixes promptly :)
Yeah, definitely something to think about. You're right that we haven't made an explicit endorsement or critique of silent commits by Linux upstream, what you're seeing here is essentially a default process that we apply across a bunch of different projects/vendors.
-
-
There are some options here that we can explore. Am I right in saying that your preference would be for Project Zero to derestrict as soon as we see an upstream commit? IIRC, the distros are the ones that argue against this, saying they want some time to package their fixes?
-
Yeah, in fact that's how I thought the process was supposed to work as I think I remember that happening in the past, but it could be that it just varies from person to person.
-
I get the distro angle, but cf. Microsoft/etc where the modified binary is the first public sign of a problem, distributed to everyone good/bad at the same time, here there's a lot more info being provided to bad people and a handful of good, with distro updates weeks/months out
-
I mean, we're happy to continue exploiting this situation as long as it exists, but it seems like other people are getting a raw deal ;)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.