Comment by asciident
4 years ago
Can you cite a source of Greg saying this? I read this article which is the closest I could find that reports this, https://www.zdnet.com/article/greg-kroah-hartman-bans-univer... which says,
"""Romanovsky reported that he had looked at four accepted patches from Pakki "and 3 of them added various severity security 'holes.'" Sudip Mukherjee, Linux kernel driver and Debian developer, followed up and said "a lot of these have already reached the stable trees." These patches are now being removed."""
However, if you click the links, you'll see that "have already reached stable trees" is about non-buggy patches, and "3 of them added various [holes]" are not one of those. So the articles seem to be intentionally deceiving the reader to think those are connected, when they're separate events. I actually feel like the media has been doing this (putting together non-related facts together in a way that readers reasonably infer a connection between the two).
I guess it was Romanovsky who said it: https://lore.kernel.org/linux-nfs/YH+zwQgBBGUJdiVK@unreal/
Wait so do you disagree with ZDnet too?
Again, there's nothing that says the patches with vulnerabilities made it to stable.
Did you read the ZDnet article and look at the links that in that article in the relevant paragraph? I'm not "disagreeing", I'm saying that they are misleading the reader (and it looks like many were fooled).
The two sentences they put together are not related, but put next to each other, they make it seem like they're related. We have to be careful when reading these articles. So the researchers have made commits to stable, and the researchers have introduced vulnerabilities, but they are not referring to the same patches. So no vulnerabilities have been committed to stable.