Ian, the reports that the kernel developers have adopted a new security process are very premature. So far, Linus has not accepted a patch which documents the new model. In the meantime, several more vulnerabilities have been disclosed without the kernel developers issuing security notes. For example, Ubuntu has released an alleged security fix for a vulnerability in the IP forwarding path, but nobody knows if their analysis is correct.
In one aspect, Linus' distrust against vendors is very symptomatic for the kernel development as a whole: He doesn't view himself and his codevelopers as a vendor, even though many users still download, compile and run vanilla kernels from kernel.org. Consequently, the kernel developers do not publish official security patches or even security advisories. GNU/Linux distributions had to live with this odd behavior and therefore took initiative, handling security bugs on their own. I can hardly blame them for that.
Posted by Florian Weimer at February 17, 2005 11:22 AM