The link doesn't say what you say it does.
It says that Linus thinks that security researchers want to put security at the expense of usability, which is a different thing entirely.
First you gotta tell me what do you think I'm saying. The link may not say it but if you check the thread that link resides in you'll see it's right on topic.
The context here is set by the parent:
> That sounds like a pretty serious issue with the QA and or bug tracking process.
My comment is exactly about "bug tracking process"
Linux is not known to be a friendly upstream when it comes to widely accepted security procedures like marking security vulnerabilities as such, coordinating fixes with distribution vendors etc.
> So I personally consider security bugs to be just "normal bugs". I don't
cover them up, but I also don't have any reason what-so-ever to think it's
a good idea to track them and announce them as something special. (http://yarchive.net/comp/linux/security_bugs.html)
Just look at the damn commit that fixes this vulnerability. It doesn't even tell it is a serious local privilege escalation. I saw the changelog for 4.4.26 yesterday and didn't realized it was an urgent security update until I saw Debian bulletin later.
Yeah. "various reasons". There are only 2 commits and one is a huge vulnerability. In the mean time the fix (thus the vulnerability) was sitting in Linus' git tree for the last week because Linus doesn't believe in security vulnerabilities.
That, and that a bug is a bug is a bug. Any bug can potentially be a security vulnerability with the right approach. Thus putting people that find such bugs on a pedestal is counterproductive.
How did you prove that it's not also a security problem? Experience shows that there are often surprising ways to abuse what seems to be a benign bug to break security of a system.
