Re: RFC: Starting a stable kernel series off the 2.6 kernel

* Arjan van de Ven:

>> Well, if there's a CVE name, the proper patch isn't *that* far away
>> (someone has already done a bit of work to isolate the fix).  The real
>> issue seems to be how to make sure that CVE names are assigned during
>> the kernel development process (and not just as an afterthought by the
>> security folks).
>
> [email protected] works that way already in a way.

As far as I know, many of the recent CVE assignments for kernel
vulnerabilities have been done by MITRE, requested by individuals
which are neither known as kernel developers, nor vendor security
folks (for "vendor" as in "we have our own legal department with real
lawyers").

Maybe the source of CVE assignments paints a wrong picture.  But if
the CVE picture is correct, vendor-paid kernel developers help behind
the scenes, but there is little interest in openly documenting
security issues, so that users (and what kernel.org considers fringe
distros) can apply the relevant patches if they use kernel.org
kernels.

>From a vendor POV, the lack of official kernel.org advisories may be a
feature.  I find it rather disturbing, and I'm puzzled that the kernel
developer community doesn't view this a problem.  I know I'm alone,
and there are certainly part-time security guys who would be willing
join forces to create something like a kernel.org security bug
database.  But the only answers we get is that everything is fine,
vendors handle the situation, [email protected] actually does this
already, etc.

> The hardest part is actually knowing which versions are affected,

First, you need to know that the patch plugs a security hole. 8-) This
isn't always obvious based on the patch, even if the fact is known to
the comitter.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Alan Cox <[email protected]>
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Matthias Andree <[email protected]>

• References:
  • RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Adrian Bunk <[email protected]>
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Ben Collins <[email protected]>
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Adrian Bunk <[email protected]>
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Lee Revell <[email protected]>
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Matthias Andree <[email protected]>
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Florian Weimer <[email protected]>
  • Re: RFC: Starting a stable kernel series off the 2.6 kernel
    • From: Arjan van de Ven <[email protected]>

• Prev by Date: [patch 21/21] Convert posix timers completely
• Next by Date: Re: nfs unhappiness with memory pressure
• Previous by thread: Re: RFC: Starting a stable kernel series off the 2.6 kernel
• Next by thread: Re: RFC: Starting a stable kernel series off the 2.6 kernel
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]