lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240216214521.GC549270@mit.edu>
Date: Fri, 16 Feb 2024 16:45:21 -0500
From: "Theodore Ts'o" <tytso@....edu>
To: Jiri Kosina <jikos@...nel.org>
Cc: Josh Poimboeuf <jpoimboe@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>, corbet@....net,
        workflows@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org, security@...nel.org, linux@...mhuis.info,
        Kees Cook <keescook@...omium.org>,
        Konstantin Ryabitsev <konstantin@...uxfoundation.org>,
        Krzysztof Kozlowski <krzk@...nel.org>,
        Lukas Bulwahn <lukas.bulwahn@...il.com>,
        Sasha Levin <sashal@...nel.org>, Lee Jones <lee@...nel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process

On Fri, Feb 16, 2024 at 09:27:48PM +0100, Jiri Kosina wrote:
> 
> Now that you have played the distro card (thanks!) here, let me just copy 
> my comment from LWN where someone suggested "well, it's easy, it's the job 
> of the [paid] distros to do the triage" ...
> 
> The problem is, that with this new system, paid distros are going to 
> suffer a big time (with no benefit to anybody at all). We'll have to put a 
> lot of productive and creative (upstream) work on hold in order to have 
> enough resources to sort out the havoc that LTS team is apparently going 
> to create by DoSing the world with a truckload of irrelevant CVEs.

My observation is that the old system has had pretty low-quality
CVE's, and worse, overly inflated CVE Severity Scores, which has
forced all people who are supporting distro and cloud serves which
sell into the US Government market to have to do very fast releases to
meet FedRAMP requirements.  At least once, I protested an overly
inflated CVSS score as being completely b.s., at a particular
enterprise distro bugzilla, and my opinion as the upstream developer
was completely ignored.

So quite frankly, at least one enteprise distro hasn't impressed me
with avoiding low quality CVE's and high CVSS scores, and so I'm quite
willing to give the new system a chance.  (Especially since I've been
told that the Linux Kernel CVE team isn't planning on issuing CVSS
scores, which as far as I'm concerned, is *excellent* since my
experience is that they are quite bogus, and quite arbitrary.)

	      	   	     	   	  - Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ