January 2, 2026
Bug or bust? Kernel kerfuffle
Linux kernel security work
Fix fast, say nothing: commenters cry “immature,” dream of unhackable OS, roast the UK
TLDR: Linux’s security team says they quietly fix issues fast via plain-text emails and don’t handle CVE IDs, sparking a backlash over transparency and priorities. Commenters split between calling the stance immature, dreaming of a perfectly secure system, and debating basics like HTTPS—proving security culture is the real battleground.
The Linux kernel’s security team just spelled out their playbook: fix reported bugs fast, push patches publicly, make no announcements, and email them in plain text only. CVEs (the industry’s ID numbers for security flaws) come from a different volunteer crew—so don’t email the security inbox asking for one. And encryption? They say it breaks the workflow. Cue the drama.
The loudest reaction: critics argue the kernel treats security bugs like normal bugs—and that’s “immature.” One top comment slammed the approach as out of step with the wider industry, saying a lot of pain could’ve been avoided if Linux took security issues more seriously from the start. On the flip side, dreamers surfaced: one commenter fantasized about a 100% secure operating system, wondering if formal proofs or safer languages could finally make “hack-proof” a thing.
Then came the sideshow: someone asked why the project’s info pages aren’t using HTTPS, igniting a mini-lecture on “it’s just static content” vs “security hygiene matters.” And when the post cheekily called out the UK government’s encryption policies—“this means you”—the thread replied with a collective “LOL,” turning a dry policy gripe into a meme. Bottom line: Linux says “fix fast, keep calm”; commenters say “show receipts—and lock it all down.”
Key Points
- •The Linux kernel security team focuses on fixing reported security issues quickly and merging fixes into public trees without announcements.
- •The security team and the CVE team are distinct groups of individuals acting independently, not tied to any company.
- •Bug reports must be sent via plain text email to the kernel security address; HTML, binary attachments, markdown, and encryption are discouraged or not supported.
- •The team is reactive, while proactive hardening is handled by the Kernel Self-Protection Project; members keep discussions confidential until resolution.
- •Subsystem maintainers are pulled into email threads for domain expertise, and may join the security alias if recurring issues occur; this approach aligns with EU CRA response-time expectations.