From: Jiri Kosina <jikos@kernel.org>
To: Theodore Ts'o <tytso@mit.edu>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
corbet@lwn.net, workflows@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
security@kernel.org, linux@leemhuis.info,
Kees Cook <keescook@chromium.org>,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
Krzysztof Kozlowski <krzk@kernel.org>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Sasha Levin <sashal@kernel.org>, Lee Jones <lee@kernel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process
Date: Fri, 16 Feb 2024 22:51:16 +0100 (CET) [thread overview]
Message-ID: <nycvar.YFH.7.76.2402162247380.21798@cbobk.fhfr.pm> (raw)
In-Reply-To: <20240216214521.GC549270@mit.edu>
On Fri, 16 Feb 2024, Theodore Ts'o wrote:
> My observation is that the old system has had pretty low-quality
> CVE's, and worse, overly inflated CVE Severity Scores, which has
> forced all people who are supporting distro and cloud serves which
> sell into the US Government market to have to do very fast releases to
> meet FedRAMP requirements. At least once, I protested an overly
> inflated CVSS score as being completely b.s., at a particular
> enterprise distro bugzilla, and my opinion as the upstream developer
> was completely ignored.
>
> So quite frankly, at least one enteprise distro hasn't impressed me
Sad to hear that, no matter which distro that was :), hoewer ...
> with avoiding low quality CVE's and high CVSS scores, and so I'm quite
> willing to give the new system a chance. (Especially since I've been
> told that the Linux Kernel CVE team isn't planning on issuing CVSS
> scores, which as far as I'm concerned, is *excellent* since my
> experience is that they are quite bogus, and quite arbitrary.)
... how is this new process going to change anything in that respect?
There will always be some entity assigning a CVSS score (apparently not
the kernel.org/LTS group), and then odds are the situation you are
describing will end up happening according exactly the same scenario,
right?
I am still trying really hard to understand what exactly is the problem
this whole effort is magically solving for everybody out there either
using Linux, or producing something around/on-top-of Linux. And I still
don't get it.
Thanks,
--
Jiri Kosina
SUSE Labs
prev parent reply other threads:[~2024-02-16 21:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-15 12:10 [PATCH v4] Documentation: Document the Linux Kernel CVE process Greg Kroah-Hartman
2024-02-15 15:03 ` Jürgen Groß
2024-02-15 17:49 ` Greg Kroah-Hartman
2024-02-16 8:04 ` Jürgen Groß
2024-02-15 17:38 ` Jiri Kosina
2024-02-15 18:24 ` Greg Kroah-Hartman
2024-02-16 19:26 ` Josh Poimboeuf
2024-02-16 20:27 ` Jiri Kosina
2024-02-16 21:45 ` Theodore Ts'o
2024-02-16 21:51 ` Jiri Kosina [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YFH.7.76.2402162247380.21798@cbobk.fhfr.pm \
--to=jikos@kernel.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=jpoimboe@kernel.org \
--cc=keescook@chromium.org \
--cc=konstantin@linuxfoundation.org \
--cc=krzk@kernel.org \
--cc=lee@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@leemhuis.info \
--cc=lukas.bulwahn@gmail.com \
--cc=sashal@kernel.org \
--cc=security@kernel.org \
--cc=tytso@mit.edu \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).