Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process

Workflows Archive mirror
 help / color / mirror / Atom feed

From: Jiri Kosina <jikos@kernel.org>
To: Theodore Ts'o <tytso@mit.edu>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>,
	 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	corbet@lwn.net,  workflows@vger.kernel.org,
	linux-doc@vger.kernel.org,  linux-kernel@vger.kernel.org,
	security@kernel.org, linux@leemhuis.info,
	 Kees Cook <keescook@chromium.org>,
	 Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
	 Krzysztof Kozlowski <krzk@kernel.org>,
	 Lukas Bulwahn <lukas.bulwahn@gmail.com>,
	Sasha Levin <sashal@kernel.org>,  Lee Jones <lee@kernel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process
Date: Fri, 16 Feb 2024 22:51:16 +0100 (CET)	[thread overview]
Message-ID: <nycvar.YFH.7.76.2402162247380.21798@cbobk.fhfr.pm> (raw)
In-Reply-To: <20240216214521.GC549270@mit.edu>

On Fri, 16 Feb 2024, Theodore Ts'o wrote:

> My observation is that the old system has had pretty low-quality
> CVE's, and worse, overly inflated CVE Severity Scores, which has
> forced all people who are supporting distro and cloud serves which
> sell into the US Government market to have to do very fast releases to
> meet FedRAMP requirements.  At least once, I protested an overly
> inflated CVSS score as being completely b.s., at a particular
> enterprise distro bugzilla, and my opinion as the upstream developer
> was completely ignored.
> 
> So quite frankly, at least one enteprise distro hasn't impressed me

Sad to hear that, no matter which distro that was :), hoewer ... 

> with avoiding low quality CVE's and high CVSS scores, and so I'm quite
> willing to give the new system a chance.  (Especially since I've been
> told that the Linux Kernel CVE team isn't planning on issuing CVSS
> scores, which as far as I'm concerned, is *excellent* since my
> experience is that they are quite bogus, and quite arbitrary.)

... how is this new process going to change anything in that respect? 

There will always be some entity assigning a CVSS score (apparently not 
the kernel.org/LTS group), and then odds are the situation you are 
describing will end up happening according exactly the same scenario, 
right?

I am still trying really hard to understand what exactly is the problem 
this whole effort is magically solving for everybody out there either 
using Linux, or producing something around/on-top-of Linux. And I still 
don't get it.

Thanks,

-- 
Jiri Kosina
SUSE Labs

     prev parent reply	other threads:[~2024-02-16 21:51 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-15 12:10 [PATCH v4] Documentation: Document the Linux Kernel CVE process Greg Kroah-Hartman
2024-02-15 15:03 ` Jürgen Groß
2024-02-15 17:49   ` Greg Kroah-Hartman
2024-02-16  8:04     ` Jürgen Groß
2024-02-15 17:38 ` Jiri Kosina
2024-02-15 18:24   ` Greg Kroah-Hartman
2024-02-16 19:26 ` Josh Poimboeuf
2024-02-16 20:27   ` Jiri Kosina
2024-02-16 21:45     ` Theodore Ts'o
2024-02-16 21:51       ` Jiri Kosina [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=nycvar.YFH.7.76.2402162247380.21798@cbobk.fhfr.pm \
    --to=jikos@kernel.org \
    --cc=corbet@lwn.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=jpoimboe@kernel.org \
    --cc=keescook@chromium.org \
    --cc=konstantin@linuxfoundation.org \
    --cc=krzk@kernel.org \
    --cc=lee@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@leemhuis.info \
    --cc=lukas.bulwahn@gmail.com \
    --cc=sashal@kernel.org \
    --cc=security@kernel.org \
    --cc=tytso@mit.edu \
    --cc=workflows@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).