Quoting KatolaZ (katolaz@???):

> This is not a definitive citation, but looks like a concrete starting
> point for a rational discussion:
>
> https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/

Kees Cook has always done really good work.

> TL;DR: The article shows that only 2 Critical CVEs and 34 High CVEs
> were found in the Linux kernel between v.2.6.12 and v.4.9. This covers
> about 10 years of kernel development, during which the kernel has
> increased its size from about 8M LOC (2006) to about 22M LOC
> (2016). It's fair to stress that most of the increase is due to device
> drivers though, not to internal kernel components (which have
> increased in size, nevertheless).

A good point -- and illustrates another point that I observed over years
of interpreting CVEs for a living: Just because a piece of code gets
installed on your system doesn't mean your system need be configured to
use it. At $FIRM, I can't even say how many times a CVE turned out not
to apply to our systems upon examination because it relied on exploiting
optional code not locally enabled. And of course, unused device drivers
would be a case in point.

-- 
Cheers,              "I am a member of a civilization (IAAMOAC).  Step back
Rick Moen            from anger.  Study how awful our ancestors had it, yet
rick@???  they struggled to get you here.  Repay them by appreciating
McQ! (4x80)          the civilization you inherited."           -- David Brin