Conversation

Notices

Embed this notice
mort (mort@fosstodon.org)'s status on Thursday, 30-May-2024 19:27:32 JST mort

The #CVE count of the #Linux #kernel is not looking good these days compared to any other #OS is it. Maybe time to switch to #FreeBSD or some other system which doesn't claim to find hundreds of significant vulnerabilities every day

In conversation about a year ago from fosstodon.org permalink
- Embed this notice
  Lorenzo Stoakes (ljs@social.kernel.org)'s status on Thursday, 30-May-2024 19:27:25 JST Lorenzo Stoakes
  in reply to
  @gregkh @vbabka @mcepl @mort everything you say after 'I am not trolling' absolutely does not contradict the position that you are trolling (nor what you said in your talk about... err... trolling CVEs).
  
  Trolling CVE = following the rules to the letter to demonstrate the rules are silly.
  
  I mean I might not be as senior as Vlasta (which is probably why you're replying to him not me), but I did speak to other senior kernel people in person and EVERYBODY thinks this is what you're doing.
  
  The issue are the downstream effects as collateral damage, but since your position is 'use stable kernels or I don't care' I guess you don't care ;)
  
  In conversation about a year ago permalink
- Embed this notice
  Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 30-May-2024 19:27:25 JST Greg K-H
  in reply to
  @ljs @mcepl @mort @vbabka Yes, I said "trolling" many years ago in jest as there was no way for the kernel community to actually create CVEs like that, it was a joke.
  
  But what I'm saying now is that I am NOT trolling anyone. The number of CVEs created for the kernel is exactly what cve.org wants us to do here as now we ARE allowed to be a CNA. And by being a CNA, we must follow the rules of cve.org which is what we are doing. I have had many meetings with the cve.org employees and board about this, and everyone seems to be in agreement that what we are doing now is correct and should be done this way.
  
  Again, I'm not trolling anyone, and again, the kernel development model has not changed, all that has changed is that finally we are marking all potential vulnerability fixes as CVEs.
  
  Again, if anyone knows of any CVE entries that we have assigned that should not be CVE entries, please let us know.
  In conversation about a year ago permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    cve-website
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 30-May-2024 19:27:26 JST Greg K-H
  in reply to
  @vbabka @mort @ljs @mcepl I am not trolling anything, I am working within the requirements of the CVE system at the request of the people who run it. We are doing so because other entities were abusing the CVE system for the Linux project in the past, so in order to take control of it, we must work within the constraints with which we are placed.
  
  And that means assigning CVEs to everything that meets the definition of vulnerability as defined by cve.org. If you, or anyone else notices a CVE we issue that does NOT meet that definition, please let us know and we will be glad to reject it.
  
  Odds are other operating system kernels will start doing the same as Linux does, if they wish to be a CNA for their project. We aren't alone here, it's just that we report our fixes, others don't, or aren't actually developing any fixes. You be the judge of which is the case for various projects :)
  In conversation about a year ago permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    cve-website
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  mort (mort@fosstodon.org)'s status on Thursday, 30-May-2024 19:27:27 JST mort
  in reply to
  - Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  @mcepl Maybe, I can't recall and I don't think it's very relevant.
  
  In conversation about a year ago permalink
- Embed this notice
  Vlastimil Babka (vbabka@social.kernel.org)'s status on Thursday, 30-May-2024 19:27:27 JST Vlastimil Babka
  in reply to
  - Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  - Lorenzo Stoakes
  @mort @mcepl it is relevant, Greg is explaining there his plan to troll the cve system and so now he does exactly that. Cc @ljs
  
  In conversation about a year ago permalink
- Embed this notice
  Matěj Cepl 🇪🇺 🇨🇿 🇺🇦 (mcepl@floss.social)'s status on Thursday, 30-May-2024 19:27:28 JST Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  in reply to
  
  @mort
  Have you watched https://youtu.be/HeeoTE9jLjM ?
  In conversation about a year ago permalink
  Attachments
  1. Kernel Recipes 2019 - CVEs are dead, long live the CVE!
    
    from Kernel Recipes
    
    For the Linux kernel, CVEs do not work at all given the rate of fixes being applied and rapidly backported and pushed to users through a huge variety of diff...
- Embed this notice
  mort (mort@fosstodon.org)'s status on Thursday, 30-May-2024 19:27:29 JST mort
  in reply to
  - Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  @mcepl Well I knew there were issues, nothing is perfect, but I was under the impression that it was secure enough that you couldn't fix a hundred exploitable vilnerabilities per day and still go strong a month later, yeah.
  
  In conversation about a year ago permalink
- Embed this notice
  mort (mort@fosstodon.org)'s status on Thursday, 30-May-2024 19:27:29 JST mort
  in reply to
  - Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  @mcepl If FreeBSD started publishing a hundred CVEs about exploitable vulnerabilities per day I would have the same reaction to that
  
  In conversation about a year ago permalink
- Embed this notice
  mort (mort@fosstodon.org)'s status on Thursday, 30-May-2024 19:27:30 JST mort
  in reply to
  - Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  @mcepl That's not what I'm saying. I'm saying that if there are enough exploitable vulnerabilities in Linux to fix a hundred of them every single day consistently, clearly it's not a very secure operating system
  If there's not enough exploitable vulnerabilities to do that but they're publishing a hundred CVEs per day regardless, that's just a DDOS attack against a deeply imperfect yet useful vulnerability reporting system
  
  In conversation about a year ago permalink
- Embed this notice
  Matěj Cepl 🇪🇺 🇨🇿 🇺🇦 (mcepl@floss.social)'s status on Thursday, 30-May-2024 19:27:30 JST Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  in reply to
  
  @mort
  And yet until yesterday you were using it happily persuaded that it is secure, and if Greg took over FreeBSD and start reporting CVEs on it, you would be persuaded that it is insecure as well? It is just reporting!
  
  In conversation about a year ago permalink
- Embed this notice
  Matěj Cepl 🇪🇺 🇨🇿 🇺🇦 (mcepl@floss.social)'s status on Thursday, 30-May-2024 19:27:31 JST Matěj Cepl 🇪🇺 🇨🇿 🇺🇦
  in reply to
  
  @mort Are you listening to yourself? The system which reports fewer security issues is more secure? Really? Then you should switch to #OpenBSD, because they hide their security errors best!
  
  In conversation about a year ago permalink
- Embed this notice
  mort (mort@fosstodon.org)'s status on Thursday, 30-May-2024 19:28:40 JST mort
  in reply to
  - Greg K-H
  But no seriously what the fuck is @gregkh trying to achieve here? Before, I could use a CVE count as an argument to spend time upgrading #Linux: "there have been found 5 vulnerabilities in the version we use, we should upgrade to the latest". These days, CVEs are useless for that purpose, everyone knows that pretty much every single one of the thousands of "CVEs" affecting the kernel version we're on is bogus so they aren't useful for that purpose any more so we stay on old kernels for longer
  
  In conversation about a year ago permalink
- Embed this notice
  Morten Linderud (foxboron@chaos.social)'s status on Thursday, 30-May-2024 19:28:40 JST Morten Linderud
  in reply to
  - Greg K-H
  @mort @gregkh
  Using CVE counts as an argument this way has always been bogus though, regardless of what is currently happening.
  
  In conversation about a year ago permalink
  
  Haelwenn /элвэн/ :triskell: likes this.