Keep it in mind! First one is a kind of personal mantra #kr2024
Conversation
Notices
-
Embed this notice
Kernel Recipes (kernelrecipes@fosstodon.org)'s status on Monday, 23-Sep-2024 22:42:40 JST 
Kernel Recipes
-
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Monday, 23-Sep-2024 22:42:39 JST 
Kees Cook :tux:
@KernelRecipes Followed up by my more nihilistic take:
https://youtu.be/b2_HAH2kX04#t=373Bottom line remains the same: we have to eliminate bug classes. I'm really excited by all the work that continues on this front between fixing the C language itself and the adoption of Rust. We continue to make steady progress, but can always use more help. :)
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Monday, 23-Sep-2024 22:42:40 JST
Kees Cook :tux:
@KernelRecipes The continuity across upstream messaging has been clear since (probably before) 2017. Same observations then too: https://youtu.be/RKadXpQLmPU#t=2796
"If you are not using a stable / long-term kernel, your machine is insecure" - @gregkh -
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Monday, 23-Sep-2024 23:54:47 JST
Kees Cook :tux:
@KernelRecipes Sometimes people need reminding that CVEs are just a stand-in for the real goal: fixing vulnerabilities. The point of "the deployment cannot have any CVEs" isn't an arbitrary check list. The goal is to get as close as possible to "the deployment cannot have any vulnerabilities".
The Linux Kernel CNA solves the "tons of false negatives" problem (but creates the "a few false positives" problem), but the result is a more accurate mapping from vulnerabilities to CVEs.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Kernel Recipes (kernelrecipes@fosstodon.org)'s status on Monday, 23-Sep-2024 23:54:49 JST
Kernel Recipes
From @kees
-
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 25-Sep-2024 00:35:00 JST
Kees Cook :tux:
@pavel @KernelRecipes Deployments always had an obligation to evaluate vulnerabilities and fix them, but now it has become unavoidable and threat model mismatches are glaringly obvious.
Yes, it is possible that for a given threat model, there are now a ton of CVEs that will need to have their severity labeled as "don't care". But this was always true -- but no one triaged fixes, they triaged against the prior CVEs, which were a small subset of the distro threat model. Lots of fixes got missed.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 25-Sep-2024 00:35:01 JST
Kees Cook :tux:
@pavel @KernelRecipes At the LPC CVE BoF, in a room filled with people who care deeply about this topic, there appeared to be consensus that the CNA has traded many false negatives for a few false positives. (I.e. we are now closer to the imagined objective reality of a 1:1 mapping between fixes and CVEs.)
In the past, with distros and researchers mostly causing the CVE assignments, the implied threat model was that of a distro, and didn't represent other models. (But still missed fixes.)
-
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 25-Sep-2024 00:35:01 JST
Kees Cook :tux:
@pavel @KernelRecipes I think of the CNA as doing a first pass at CVEs, and then each deployment can continue triage based on their threat model. This is how it's always been, it's just that severity triage has been moved closer to where it is needed: with those that have a threat model to apply. What has changed is that there isn't yet a place for common threat models to share triage. This used to be the CVEs themself, but that left out all the other threat models and missed tons of fixes.
-
Embed this notice
Pavel Machek (pavel@social.kernel.org)'s status on Wednesday, 25-Sep-2024 00:35:02 JST 
Pavel Machek
@kees @KernelRecipes Greg & company is introducing so many false positives into the CVE system that CVEs are now completely useless for kernel. Good job! :-( (And calling it "a few false positives" is not really a good sign).
-
Embed this notice
All GNU social JP content and data are available under the