Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process

[Jiri Kosina]

On Fri, 16 Feb 2024, Josh Poimboeuf wrote:

> - Not users of -stable since they already know they need to be on the
>   latest version.
> 
> - Not distros or their users as it's just flooding them with low quality
>   CVEs which have no analysis or scoring.
> 
> And enterprise distros will never be able to rebase onto -stable,
> especially for older streams for which they have to be very selective,
> in order to avoid destabilizing them.  As you say, "a bug is a bug".

Now that you have played the distro card (thanks!) here, let me just copy 
my comment from LWN where someone suggested "well, it's easy, it's the job 
of the [paid] distros to do the triage" ...

The problem is, that with this new system, paid distros are going to 
suffer a big time (with no benefit to anybody at all). We'll have to put a 
lot of productive and creative (upstream) work on hold in order to have 
enough resources to sort out the havoc that LTS team is apparently going 
to create by DoSing the world with a truckload of irrelevant CVEs.

-- 
Jiri Kosina
SUSE Labs