[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <nycvar.YFH.7.76.2402162108370.21798@cbobk.fhfr.pm>
Date: Fri, 16 Feb 2024 21:27:48 +0100 (CET)
From: Jiri Kosina <jikos@...nel.org>
To: Josh Poimboeuf <jpoimboe@...nel.org>
cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, corbet@....net,
workflows@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, security@...nel.org, linux@...mhuis.info,
Kees Cook <keescook@...omium.org>,
Konstantin Ryabitsev <konstantin@...uxfoundation.org>,
Krzysztof Kozlowski <krzk@...nel.org>,
Lukas Bulwahn <lukas.bulwahn@...il.com>, Sasha Levin <sashal@...nel.org>,
Lee Jones <lee@...nel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE
process
On Fri, 16 Feb 2024, Josh Poimboeuf wrote:
> - Not users of -stable since they already know they need to be on the
> latest version.
>
> - Not distros or their users as it's just flooding them with low quality
> CVEs which have no analysis or scoring.
>
> And enterprise distros will never be able to rebase onto -stable,
> especially for older streams for which they have to be very selective,
> in order to avoid destabilizing them. As you say, "a bug is a bug".
Now that you have played the distro card (thanks!) here, let me just copy
my comment from LWN where someone suggested "well, it's easy, it's the job
of the [paid] distros to do the triage" ...
The problem is, that with this new system, paid distros are going to
suffer a big time (with no benefit to anybody at all). We'll have to put a
lot of productive and creative (upstream) work on hold in order to have
enough resources to sort out the havoc that LTS team is apparently going
to create by DoSing the world with a truckload of irrelevant CVEs.
--
Jiri Kosina
SUSE Labs
Powered by blists - more mailing lists