lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Feb 2024 21:27:48 +0100 (CET)
From: Jiri Kosina <jikos@...nel.org>
To: Josh Poimboeuf <jpoimboe@...nel.org>
cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, corbet@....net, 
    workflows@...r.kernel.org, linux-doc@...r.kernel.org, 
    linux-kernel@...r.kernel.org, security@...nel.org, linux@...mhuis.info, 
    Kees Cook <keescook@...omium.org>, 
    Konstantin Ryabitsev <konstantin@...uxfoundation.org>, 
    Krzysztof Kozlowski <krzk@...nel.org>, 
    Lukas Bulwahn <lukas.bulwahn@...il.com>, Sasha Levin <sashal@...nel.org>, 
    Lee Jones <lee@...nel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE
 process

On Fri, 16 Feb 2024, Josh Poimboeuf wrote:

> - Not users of -stable since they already know they need to be on the
>   latest version.
> 
> - Not distros or their users as it's just flooding them with low quality
>   CVEs which have no analysis or scoring.
> 
> And enterprise distros will never be able to rebase onto -stable,
> especially for older streams for which they have to be very selective,
> in order to avoid destabilizing them.  As you say, "a bug is a bug".

Now that you have played the distro card (thanks!) here, let me just copy 
my comment from LWN where someone suggested "well, it's easy, it's the job 
of the [paid] distros to do the triage" ...

The problem is, that with this new system, paid distros are going to 
suffer a big time (with no benefit to anybody at all). We'll have to put a 
lot of productive and creative (upstream) work on hold in order to have 
enough resources to sort out the havoc that LTS team is apparently going 
to create by DoSing the world with a truckload of irrelevant CVEs.

-- 
Jiri Kosina
SUSE Labs


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ