Conversation

Notices

1. Embed this notice
   sjvn (sjvn@mastodon.social)'s status on Thursday, 03-Apr-2025 04:08:59 JST sjvn

   • sjvn
   • The New Stack

   How #Linux Kernel Deals With Tracking CVE #Security Issues: https://thenewstack.io/how-linux-kernel-deals-with-tracking-cve-security-issues/ via @TheNewStack & @sjvn

   And why, all too soon, most #opensource projects must also manage their own Common Vulnerabilities and Exposures.

   • Embed this notice
     Josh Bressers (joshbressers@infosec.exchange)'s status on Thursday, 03-Apr-2025 04:08:58 JST Josh Bressers

     in reply to

     • The New Stack

     @sjvn @TheNewStack

     Ugh, please don't normalize "every open source projects needs to be a CNA"

     Most open source projects don't have the resources to be a CNA and shouldn't need to be a CNA

     Curl and the Kernel became CNAs because the CVE process is broken

   • Embed this notice
     Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 03-Apr-2025 04:08:58 JST Greg K-H

     in reply to

     • Josh Bressers
     • The New Stack
     • badger
     @joshbressers @sjvn @TheNewStack I'm with @badger Linux is a CNA to help fix the CVE process, and so far we have already achieved some change, more to hopefully come.
     
     And the CRA is going to cause other software projects to come to terms with their reporting process, so becoming a CNA is a good step forward in the whole thing.
     
     And besides, what open source project doesn't want to actually control what other people are saying about your project? Just this week we "took back" a CVE issued by a rogue CNA against Linux when they shouldn't have done so. If we weren't a CNA we would never have been able to do so at all.
     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Josh Bressers (joshbressers@infosec.exchange)'s status on Thursday, 03-Apr-2025 04:09:18 JST Josh Bressers

     in reply to

     • Greg K-H
     • The New Stack
     • badger

     @gregkh @TheNewStack @badger @sjvn

     Working to fix the CVE problems should be applauded

     But we need to keep in mind there are open source projects that are one person who spends two hours every other Saturday

     Expecting that person to become a CNA is 🍌

     They should be able to control their CVE data also, but today they can't

   • Embed this notice
     daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 03-Apr-2025 04:09:18 JST daniel:// stenberg://

     in reply to

     • Greg K-H
     • Josh Bressers
     • The New Stack

     @joshbressers @gregkh @TheNewStack @sjvn agreed.

     We are proposing OSS projects to be able opt out of getting CVE records "improved" by CVSS.

     We are also discussing how smaller OSS projects could get an existing CNA to deal with their CVEs (their scope really), as if they were a CNA.

     This within the "OSS CNA group" that has been started featuring curl, kernel, perl, and lots of linux distros ppl etc.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     sjvn (sjvn@mastodon.social)'s status on Thursday, 03-Apr-2025 04:09:33 JST sjvn

     in reply to

     • daniel:// stenberg://
     • Greg K-H
     • Josh Bressers
     • The New Stack

     @bagder @joshbressers @gregkh @TheNewStack Where is the OSS CNA group? I don't know it.

   • Embed this notice
     Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 03-Apr-2025 04:09:33 JST Greg K-H

     in reply to

     • daniel:// stenberg://
     • Josh Bressers
     • The New Stack
     @sjvn @bagder @joshbressers @TheNewStack It's not a formal group within cve.org, just a semi-regular meeting of open source projects who are CNAs to discuss things about being a CNA.
     Haelwenn /элвэн/ :triskell: likes this.