TBH the thing annoyed me most in this story is the "Someone had to start the disclosure process on linux-distros again and if they didn't no one would know"-part. There are certainly silent bug fixes where the author intentionally (or not) does not post to linux-distros or any other maillists even after stable release. It would take an hour to dig a good example tho. (Okay, maybe 10 minutes if I'm going to read Brad Spengler's rants)
I guess a Linux kernel security advisory process is needed to fix this, but yeah :(
I guess a Linux kernel security advisory process is needed to fix this, but yeah :(