Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://grapheneos.social/users/GrapheneOS/statuses/115429370141209791">GrapheneOS (grapheneos@grapheneos.social)'s status on Saturday, 25-Oct-2025 14:18:04 JST</a><a href="https://grapheneos.social/@GrapheneOS" title="grapheneos@grapheneos.social"><img src="https://gnusocial.jp/avatar/99224-48-20240219114657.webp" width="48" height="48" alt="GrapheneOS" style="position: absolute; left: 0; top: 0;">GrapheneOS</a><div><a href="https://shitposter.world/objects/06be1df7-d0c2-45e9-b46f-e36ce068a1e2" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/253015" title="jeffcliff@shitposter.world"> Jeff "never listens to women" Cliff, B.Sc. 😷 🇮🇷🇱🇧🇨🇦🧯🏴‍☠️🦝🐙 🐧</a></li></ul></div></section><article><p><a href="https://shitposter.world/users/jeffcliff">@jeffcliff</a> <a href="https://mstdn.plus/@gcvsa">@gcvsa</a> They're not shipping most of the security patches. They're only shipping a subset of the security patches with CVE assignments. Most open source projects that are used do not actively seek out CVE assignments. CVE assignments tend to mean issues were found by external security researchers or were very blatant. There are a huge number of memory corruption fixes and other fixes not getting CVE assignments, so they aren't backported as part of this model. It doesn't work well.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5795997#notice-11382693">In conversation</a><time datetime="2025-10-25T14:18:04+09:00" title="Saturday, 25-Oct-2025 14:18:04 JST">about 3 months ago</time> <span>from <span><a href="https://grapheneos.social/@GrapheneOS/115429370141209791" rel="external" title="Sent from grapheneos.social via ActivityPub">grapheneos.social</a></span></span><a href="https://grapheneos.social/@GrapheneOS/115429370141209791">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Saturday, 25-Oct-2025 14:18:04 JSTGrapheneOS
in reply to
- Gemma ⭐️🔰🇺🇸 🇵🇭 🎐
- Jeff "never listens to women" Cliff, B.Sc. 😷 🇮🇷🇱🇧🇨🇦🧯🏴‍☠️🦝🐙 🐧
@jeffcliff @gcvsa They're not shipping most of the security patches. They're only shipping a subset of the security patches with CVE assignments. Most open source projects that are used do not actively seek out CVE assignments. CVE assignments tend to mean issues were found by external security researchers or were very blatant. There are a huge number of memory corruption fixes and other fixes not getting CVE assignments, so they aren't backported as part of this model. It doesn't work well.
In conversationabout 3 months ago from grapheneos.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice