*Hi Greg,*
I am writing to formally invite you to a public debate at next year’s
FOSDEM.
Our past discussions surrounding the HFS+ vulnerability—and the
subsequent "lamest vendor response" award the Linux CNA received at
DEFCON—highlighted a significant disconnect in how we approach security,
disclosure, and community roles. My goal is not to re-litigate a past
issue, but to bring transparency to crucial questions that many in our
community are asking about the future.
I propose a moderated discussion in the Linux kernel devroom to explore
these topics. The idea is to foster a constructive dialogue, not a
confrontation. The key questions to address would be:
*
*The Linux CNA's Role:* What is its responsibility in global product
security, and is its current approach effective?
*
*Vulnerability Triage:* Is the "all bugs are just bugs" philosophy
sustainable, or do certain flaws require a higher class of treatment?
*
*The Future of Linux Security:* What are the long-term consequences
of our strategic choices regarding security investment and process?
*
*The Next Generation:* How does the kernel project integrate the
perspectives of independent, nonconformist, and younger developers?
*
*Regulatory Readiness:* How can the kernel community best prepare
for the impact of legislation like the EU’s Cyber Resilience Act (CRA)?
I believe FOSDEM's open, community-driven, and unfiltered nature makes
it the ideal venue. A frank conversation between us would bring immense
value and clarity to these complex challenges for the benefit of the
entire ecosystem.
Would you be willing to participate?
*Best regards,*
*Attila*
On 10/2/25 16:34, Greg KH wrote:
On Thu, Oct 02, 2025 at 03:11:17PM +0200, Attila Szasz wrote:
For the sake of product security folks who rely on consistency: the Linux
CNA recently registered a batch of HFS/HFS+ CVEs that require manipulating
malformed filesystems as a first step. This seems inconsistent with how
similar cases were previously handled.
If you feel the Linux CNA has issued CVEs in an inconsistent way, please
contact them and the people there will be glad to research the issue and
get back to you. They are issuing, on average, 13 CVEs a day, and so
stuff like this easily gets lost in the firehose.
The Linux CNA is also currently "backfilling" many old CVE entries that
previously came from the GSD database, and perhaps the issues you are
referring to came from there. If so, again, please contact them and
they will be glad to discuss it.
thanks,
greg k-h
