Conversation

Notices

1. Embed this notice
   Vegard Nossum 🥑 (vegard@mastodon.social)'s status on Wednesday, 28-Feb-2024 03:24:34 JST Vegard Nossum 🥑

   • Farce Majeure
   • Greg K-H
   • kurtseifried (he/him)
   • Kees Cook :tux:

   @kurtseifried @kees @vathpela @gregkh I mean, yes... we're already doing all that, Oracle Linux kernels are based on stable and take all stable patches. But that's beside the point. I'm questioning the value of marking these particular patches as fixing vulnerabilities.

   Anyway, the solution here (like I think @gregkh mentioned a couple of times) is that we need to (continue to) do our own screening and assessments in the context of our own products. Which is fair.

   • Embed this notice
     Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 28-Feb-2024 03:24:34 JST Kees Cook :tux:

     in reply to

     • Farce Majeure
     • Greg K-H
     • kurtseifried (he/him)

     @vegard @kurtseifried @vathpela @gregkh That is exactly right!

     I remain impressed that the Ubuntu security team (and kernel team) do severity analysis (with respect to the distro), and usually flaw introduction commit analysis, for each kernel CVE. It's already lot of work, so I'm curious how they will adapt to the higher rate of CVE assignments now.

     James Morris likes this.