На счет причины уязвимостей:

Linus tells Google security engineers what he really thinks about them: Some security people have
scoffed at me when I say that security problems are primarily "just bugs". Those security people
are f*cking morons. Because honestly, the kind of security person who doesn't accept that security
problems are primarily just bugs, I don't want to work with. If you don't see your job as "debugging first",
I'm simply not interested. So I think the hardening project needs to really take a good look at
itself in the mirror. Because the primary focus should be "debugging". The primary focus
should be "let's make sure the kernel released in a year is better than the one released today".
And the primary focus right now seems to be "let's kill things for bugs". That's wrong.

Ответ на reddit:

I think this just comes from a different philosophy behind security at Google. At Google, security
bugs are not just bugs. They're the most important type of bugs imaginable, because a single security
bug might be the only thing stopping a hacker from accessing user data. You want Google engineers obsessing
over security bugs. It's for your own protection. A lot of code at Google is written in such a way that if a
bug with security implications occurs, it immediately crashes the program. The goal is that if there's eve
n the slightest chance that someone found a vulnerability, their chances of exploiting it are minimized.

Увидел здесь, обсуждение здесь, началось отсюда.

Здравствуйте, Sharov, Вы писали:

S>На счет причины уязвимостей:
S>

S>Linus tells Google security engineers what he really thinks about them: Some security people have
S>scoffed at me when I say that security problems are primarily "just bugs". Those security people
S>are f*cking morons. Because honestly, the kind of security person who doesn't accept that security
S>problems are primarily just bugs, I don't want to work with. If you don't see your job as "debugging first",
S> I'm simply not interested. So I think the hardening project needs to really take a good look at
S>itself in the mirror. Because the primary focus should be "debugging". The primary focus
S>should be "let's make sure the kernel released in a year is better than the one released today".
S> And the primary focus right now seems to be "let's kill things for bugs". That's wrong.

С формальной точки зрения он прав, баг — это нежелательное поведение системы, а значит, уязвимость — это баг.
Но это высказывание неконструктивно: ок, пусть это баг. И что дальше? А дальше он ничего не предлагает (разве что, бесконечно отлаживаться).
А "Some security people" — видимо, предлагают.

Здравствуйте, vmpire, Вы писали:

V>С формальной точки зрения он прав, баг — это нежелательное поведение системы, а значит, уязвимость — это баг.
V>Но это высказывание неконструктивно: ок, пусть это баг. И что дальше? А дальше он ничего не предлагает (разве что, бесконечно отлаживаться).
V>А "Some security people" — видимо, предлагают.

Там немного другой контекст. Ему прислали пач на собственно харденинг. Который сделает потенциальную уязвимость менее эксплуатируемой, но скорее всего сломает кучу софта.
И собственно его ответ: "вы конечно молодцы, но давайте не останавливаться на достигнутом. Разберитесь до конца и сделайте так чтобы ничего не ломалось".