Re: [PATCH] Documentation: Document the Linux Kernel CVE process

From: Kees Cook
Date: Tue Feb 13 2024 - 17:35:38 EST

Next message: Suren Baghdasaryan: "Re: [PATCH v3 13/35] lib: add allocation tagging support for memory allocation profiling"
Previous message: Rob Herring: "Re: [PATCH v10 2/4] dt-bindings: remoteproc: add Tightly Coupled Memory (TCM) bindings"
In reply to: Randy Dunlap: "Re: [PATCH] Documentation: Document the Linux Kernel CVE process"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] Documentation: Document the Linux Kernel CVE process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> +No CVEs will be assigned for unfixed security issues in the Linux
> +kernel, assignment will only happen after a fix is available as it can
> +be properly tracked that way by the git commit id of the original fix.

This seems at odds with the literal definition of what CVEs are:
_vulnerability_ enumeration. This is used especially during the
coordination of fixes; how is this meant to interact with embargoed
vulnerability fixing?

Outside of that, I welcome the fire-hose of coming identifiers! I think
this will more accurately represent the number of fixes landing in
stable trees and how important it is for end users to stay current on
a stable kernel.

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

--
Kees Cook

Next message: Suren Baghdasaryan: "Re: [PATCH v3 13/35] lib: add allocation tagging support for memory allocation profiling"
Previous message: Rob Herring: "Re: [PATCH v10 2/4] dt-bindings: remoteproc: add Tightly Coupled Memory (TCM) bindings"
In reply to: Randy Dunlap: "Re: [PATCH] Documentation: Document the Linux Kernel CVE process"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] Documentation: Document the Linux Kernel CVE process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]