On Fri, 16 Feb 2024, Theodore Ts'o wrote:
> My observation is that the old system has had pretty low-quality
> CVE's, and worse, overly inflated CVE Severity Scores, which has
> forced all people who are supporting distro and cloud serves which
> sell into the US Government market to have to do ve
On Fri, Feb 16, 2024 at 09:27:48PM +0100, Jiri Kosina wrote:
>
> Now that you have played the distro card (thanks!) here, let me just copy
> my comment from LWN where someone suggested "well, it's easy, it's the job
> of the [paid] distros to do the triage" ...
>
> The problem is, that with thi
On Fri, 16 Feb 2024, Josh Poimboeuf wrote:
> - Not users of -stable since they already know they need to be on the
> latest version.
>
> - Not distros or their users as it's just flooding them with low quality
> CVEs which have no analysis or scoring.
>
> And enterprise distros will never be
On Thu, Feb 15, 2024 at 01:10:55PM +0100, Greg Kroah-Hartman wrote:
> +Note, due to the layer at which the Linux kernel is in a system, almost
> +any bug might be exploitable to compromise the security of the kernel,
> +but the possibility of exploitation is often not evident when the bug is
> +fix
On 15.02.24 18:49, Greg Kroah-Hartman wrote:
On Thu, Feb 15, 2024 at 04:03:02PM +0100, Jürgen Groß wrote:
On 15.02.24 13:10, Greg Kroah-Hartman wrote:
The Linux kernel project now has the ability to assign CVEs to fixed
issues, so document the process and how individual developers can get a
CVE
On Thu, Feb 15, 2024 at 06:38:05PM +0100, Jiri Kosina wrote:
> On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote:
>
> > The Linux kernel project now has the ability to assign CVEs to fixed
> > issues, so document the process and how individual developers can get a
> > CVE if one is not automatically a
On Thu, Feb 15, 2024 at 04:03:02PM +0100, Jürgen Groß wrote:
> On 15.02.24 13:10, Greg Kroah-Hartman wrote:
> > The Linux kernel project now has the ability to assign CVEs to fixed
> > issues, so document the process and how individual developers can get a
> > CVE if one is not automatically assign
On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote:
> The Linux kernel project now has the ability to assign CVEs to fixed
> issues, so document the process and how individual developers can get a
> CVE if one is not automatically assigned for their fixes.
There is still one thing that's not clear to
On 15.02.24 13:10, Greg Kroah-Hartman wrote:
The Linux kernel project now has the ability to assign CVEs to fixed
issues, so document the process and how individual developers can get a
CVE if one is not automatically assigned for their fixes.
Reviewed-by: Kees Cook
Reviewed-by: Konstantin Ryab
