your point is based on one idea :
security = hidden mailing list

This has been discussed in the LKML quite extnsively. You can argue on that but only telling your point of view while removing even the lead upstream developper comments, you are only doing politics.

The point is that security related people used to dealing with big company refuse to send security patches on the open mailing list. The problem arised because a developper sent his patch to the personal email address of Linus Torvald. Then waited a few days and said the linux kernel developpers did not respond, they don't care about security issue.
Did he even ask where to sent his security patches on the main mailing list ? No he did it after publishing the vulnerability .

Most security problems are bugs in the design or implementations. They where managed as the other in the open mailing list.
The discussion changed to how can distribution security teams work more closely with upstream. This is the issue that is being discussed upon. Not "hey we should care about security lets set up a private mailing list" ...

Your arguments are good. If only you took the time to read the big thread about that , and arguments on what was there , not only on the first emotive email.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/296/30346#30346