Comment by WrtCdEvrydy

4 years ago

You totally can... contact the kernel maintainers, tell them you want them to review a merge for security and they can give you a go/no go. If they approve your merge, then it's the same effect as purposely compromising millions without compromising millions.

3 comments

WrtCdEvrydy

Reply
incrudible  4 years ago

Again, that's not the same, because then they will look for problems. What you want to test is that they're looking for problems all the time, on every patch, without you telling them to do so.

If they don't, then that's the vulnerability in the process.

  • WrtCdEvrydy  4 years ago

    > because then they will look for problems. What you want to test is that they're looking for problems all the time, on every patch, without you telling them to do so.

    That's what they do every time.

    • darkwinx  4 years ago

      Telling them in advance will potentially make them more alert for problem coming from specific source. It will introduce bias.

      The best they can do is notify the maintainers after they got the result for their research and give the maintainers an easy way to recover from vulnerability they intentionally create.