On 2018-01-26 00:31:19, Ben Hutchings wrote:
> On Thu, 2018-01-25 at 10:17 -0500, Antoine Beaupré wrote:
> [...]
>> > OS vendors (RH/SUSE)
>> > Upstream projects (Xen, Linux etc)
>>
>> I believe those already follow the CVE process and eventually converge
>> over doing the right thing. So I am not really concerned about those
>> people.
> [...]
>
> Linux has a security contact (secur...@kernel.org), but this is only
> used for reporting bugs and discussing how to fix them; CVE assignments
> are left to distributions, DWF, etc. Many security fixes don't get
> discussed there anyway.
>
> I would estimate that less than half of security fixes in Linux
> actually get CVE IDs.
Well that's just disturbing. I am not sure, however, that I can
meaningfully change this by ... er... say writing the kernel mailing
lists, unfortunately.
I haven't got a reply from Snyk.io (yet?) by the way. I suspect I may
not get anything at all... Any other ideas as to the next steps in
general here?
a.
--
May your trails be crooked, winding, lonesome, dangerous, leading to
the most amazing view. May your mountains rise into and above the
clouds.
- Edward Abbey
