Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process

[Jiri Kosina]

On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote:

> The Linux kernel project now has the ability to assign CVEs to fixed
> issues, so document the process and how individual developers can get a
> CVE if one is not automatically assigned for their fixes.

There is still one thing that's not clear to me with this new process, and 
that's how embargos are going to be handled.

Currently, the process is broken as well, but at least understood by 
everybody.

- issues are reported to security@xxxxxxxxxx. No CVE assigned, 7days 
  embargo, then fix gets pushed out

- at some point (in parallel, before, or after the above), the issue gets 
  reported to linux-distros@. CVE gets assigned, and downstreams start 
  integrating the fix (once available) to their codebase.

- embargo is lifted, fixes are released with proper CVE reference

How is the new process going to look like? Please keep in mind that 
linux-stable is (by far!) *not* the only downstream of Linux Kernel 
project.

We've had this discussion in other contexts already, but I whole-heartedly 
believe that it's in no way in the Linux Kernel project's interest to kill 
those other downstreams (read: Linux distros) (*) ... or is it?

(*) just looking at how much those not-basing-on-stable distros are 
    contributing to mainline

Thanks,

-- 
Jiri Kosina
SUSE Labs