Also, fixes without a CVE will not be backported downstream.
On 10/27/25 18:53, Andrew Latham wrote:
I sadly have observed that CVEs are required on job postings for
security roles. Publish or perish in another industry.
On Mon, Oct 27, 2025 at 11:29 AM Jeremy Stanley <[email protected]> wrote:
On 2025-10-27 09:34:03 -0700 (-0700), Alan Coopersmith wrote:
[...]
The vendor was contacted early about this disclosure but did not
respond in any way.
[...]
With the flood of dubious reports being submitted by anyone who can
thumb some words into an LLM prompt and not bother to check the
results for hallucinated nonsense, I've taken to ignoring or
summarily closing such submissions to projects I work on as not
worth my time to respond. This is probably yet another sign that the
CVE system needs an overhaul or it's going to get ignored when it
becomes as overwhelmed with "AI noise" as everything else (not
saying these reports were necessarily machine-generated, but it's
reaching the point where open source projects with limited resources
have no choice but to silently bin such nonsense to /dev/null).
--
Jeremy Stanley
