Quoting KatolaZ (kato...@freaknet.org): > This is not a definitive citation, but looks like a concrete starting > point for a rational discussion: > > https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
Kees Cook has always done really good work. > TL;DR: The article shows that only 2 Critical CVEs and 34 High CVEs > were found in the Linux kernel between v.2.6.12 and v.4.9. This covers > about 10 years of kernel development, during which the kernel has > increased its size from about 8M LOC (2006) to about 22M LOC > (2016). It's fair to stress that most of the increase is due to device > drivers though, not to internal kernel components (which have > increased in size, nevertheless). A good point -- and illustrates another point that I observed over years of interpreting CVEs for a living: Just because a piece of code gets installed on your system doesn't mean your system need be configured to use it. At $FIRM, I can't even say how many times a CVE turned out not to apply to our systems upon examination because it relied on exploiting optional code not locally enabled. And of course, unused device drivers would be a case in point. -- Cheers, "I am a member of a civilization (IAAMOAC). Step back Rick Moen from anger. Study how awful our ancestors had it, yet r...@linuxmafia.com they struggled to get you here. Repay them by appreciating McQ! (4x80) the civilization you inherited." -- David Brin _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
