[rincebrain]

I think it's an extension of the premise that you should just be taking the whole stable tree with all its patches constantly, whether they're labeled as security fixes or not, because you can never really know for sure some bugs weren't security bugs.

I don't agree with the premise, but I do think it's a sincerely held one.

[IshKebab]

I dunno, if you think about it for more than a few seconds you can see the obvious holes in it, like it's definitely true that some bugs are "may allow RCE", but you also can do a LOT better than not even trying. And even if you do say "we're not putting the effort in to backport security fixes" (which is fine), that doesn't entail "security bugs are just bugs".

These are smart people. If it wasn't about their own project I really think they'd have a different point of view. I wonder what they say about Microsoft's security bugs for example!

[rincebrain]

I don't think I said I agreed with them, or that the position had no flaws, I just said I thought their stance was sincerely held.

People can earnestly believe illogical or inconsistent things. Arguably those are even easier to get stuck believing, as you already had to accept some friction in the inconsistencies earlier in your internalizing them, so now you're even further into sunk costs around it.

[bombcar]

The kernel begrudgingly admitted of the existence of LTS releases, they really don't like long-lived kernels and people not tracking at or near the latest release.