On Wed, May 15, 2019 at 11:15 PM Bill Sorenson <instructionset at
gmail.com>
wrote:
> > I?m not sure what you meant about Linux distros not categorizing
fixes,
> though ? with some notable exceptions, most of the big ones certainly tag
> security fixes >separately, which is what allows `unattended-upgrades`
on
> Debian/Ubuntu based systems (and `yum-cron` on RHEL) to work so nicely
> automatically as scheduled on > *only* security errata, while leaving
all
> other types of updates alone for admin intervention.
>
> My comment about Linux was not in regards to any particular distro, they
> all
> have interesting policies of varying effectiveness when it comes to release
> engineering, but specifically about the Linux kernel team (Torvalds Et al,)
> which last I checked had a policy of specifically not handling security
> issues
> any different from any generic bug. Distros may do their own kernel release
> engineering and handling that themselves which is fine.
Understood, yep, that historical stance in the kernel itself has really
sucked and does no one any favors with ?everything is just a bug.?
Thankfully the kernel self-protection project has made some significant
strides in that area, even if the overall security attitude of maintainers
has been slower to positive change than would be ideal.
?
Matt