undefined | Better HN

0 pointsincrudible4y ago0 comments

> Go set up a test, and notify the people.

The vulnerability is in the process, and this was the test.

> You really think the Linux kernel guys would change their process if you did this? They'd still do the same things they do.

If they're vulnerable to accepting patches with exploits because the review process fails, then the process is broken. Linux isn't some toy, it's critical infrastructure.

0 comments

WrtCdEvrydy4y ago

You can test the process without pushing exploits to the real kernel.

incrudibleOP4y ago

> You can test the process without pushing exploits to the real kernel.

No, you can't, because that is the test! If you manage to push exploits to the real kernel, the test failed. If you get caught, the test passes. They did get caught.

WrtCdEvrydy4y ago

You totally can... contact the kernel maintainers, tell them you want them to review a merge for security and they can give you a go/no go. If they approve your merge, then it's the same effect as purposely compromising millions without compromising millions.

1 more reply

j / k navigate · click thread line to collapse

0 pointsincrudible4y ago0 comments

> Go set up a test, and notify the people.

The vulnerability is in the process, and this was the test.

> You really think the Linux kernel guys would change their process if you did this? They'd still do the same things they do.

If they're vulnerable to accepting patches with exploits because the review process fails, then the process is broken. Linux isn't some toy, it's critical infrastructure.

0 comments

WrtCdEvrydy4y ago

You can test the process without pushing exploits to the real kernel.

incrudibleOP4y ago

> You can test the process without pushing exploits to the real kernel.

No, you can't, because that is the test! If you manage to push exploits to the real kernel, the test failed. If you get caught, the test passes. They did get caught.

WrtCdEvrydy4y ago

1 more reply

j / k navigate · click thread line to collapse