@gregkh Quick question about CVE assignments, are you only assigning based on commits that actually make an appearance in stable? What happens if you have a mainline fix that fails to apply to stable (AKA the previous mainline release) and nobody submits a backport, would that escape CVE review and assignment..?
Conversation
Notices
-
Embed this notice
Vegard Nossum 🥑 (vegard@mastodon.social)'s status on Thursday, 19-Dec-2024 16:13:59 JST 
Vegard Nossum 🥑
-
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 19-Dec-2024 16:13:59 JST 
Greg K-H
@vegard Yes, that would miss the normal "review all the stable commits" process. If you think there is a mainline-only commit that needs to have a CVE, please let us know at the cve@k.o address and we can assign it then.
But better yet, backport the fix to stable and it all happens automatically for you :) -
Embed this notice
Vegard Nossum 🥑 (vegard@mastodon.social)'s status on Thursday, 19-Dec-2024 16:18:07 JST
Vegard Nossum 🥑
@gregkh Thanks. I think the probability of this happening is probably fairly low (recent release => fewer conflicts + you'll probably pick up the missing prerequisite patches) but it's good to have a correct understand of how the process works.
-
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 19-Dec-2024 16:18:07 JST
Greg K-H
@vegard Does our current documentation not make this clear?
If not, patches welcome :)
-
Embed this notice
All GNU social JP content and data are available under the