On 10/27/25 4:40 PM, Sebastian Pipping wrote: > Hello Stuart, > > > On 10/27/25 20:45, Stuart Henderson wrote: >> On 2025/10/27 19:51, Sebastian Pipping wrote: >>> Also, fixes without a CVE will not be backported downstream. >> >> That depends on the downstream. > > I'm happy to learn which downstreams backport security issues > without a CVE, in practice. Do you have an example or two? > > Thanks and best > > > > Sebastian
Hello, There is a Linux distro you may not be aware of called "Gentoo" that does this all the time. :) (Fun fact: there's a Gentoo Developer with the same last name as you.) In general, the security team is quite happy to backport an issue upstream claims is important, even if for example they requested a CVE but haven't gotten one yet. Conversely, if upstream swears up and down that the CVE is bogus and the patch shouldn't be backported (or the patch is rejected), then Gentoo Security is unlikely to backport it, and probably nobody else would either. The point of a CVE isn't to "prove" that something is a vulnerability. The point of a CVE is to raise awareness of a vulnerability by getting everyone to talk about it using the same machine-readable name. The distinction isn't an accident. -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
