Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/kees/statuses/111996365317661808">Kees Cook :tux: (kees@fosstodon.org)'s status on Tuesday, 27-Feb-2024 00:29:40 JST</a><a href="https://fosstodon.org/@kees" title="kees@fosstodon.org"><img src="https://gnusocial.jp/avatar/107149-48-20230725231521.webp" width="48" height="48" alt="Kees Cook :tux:" style="position: absolute; left: 0; top: 0;">Kees Cook :tux:</a><div><a href="https://better.boston/@vathpela/111996139907117827" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/76797" title="vathpela@better.boston">Farce Majeure</a></li><li><a href="https://gnusocial.jp/user/101452" title="gregkh@social.kernel.org">Greg K-H</a></li></ul></div></section><article><p><a href="https://better.boston/@vathpela">@vathpela</a> <a href="https://mastodon.social/@vegard">@vegard</a> <a href="https://social.kernel.org/users/gregkh">@gregkh</a> <br>The corollary of "security bugs are bugs" is "bugs are security bugs". Without an omniscient view of all Linux deployments and the associated reachability analysis, the objective security impact of a behavioral weakness cannot be assessed. And this is especially true given that (even minor) flaws are commonly chained together to build exploits.</p><p>This new process won't be perfect, but it'll be a whole lot closer to reality than the prior process: assigning no CVEs. :)</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2763987#notice-5479827">In conversation</a><time datetime="2024-02-27T00:29:40+09:00" title="Tuesday, 27-Feb-2024 00:29:40 JST">Tuesday, 27-Feb-2024 00:29:40 JST</time> <span>from <span><a href="https://fosstodon.org/@kees/111996365317661808" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@kees/111996365317661808">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Tuesday, 27-Feb-2024 00:29:40 JSTKees Cook :tux:
in reply to
@vathpela @vegard @gregkh
The corollary of "security bugs are bugs" is "bugs are security bugs". Without an omniscient view of all Linux deployments and the associated reachability analysis, the objective security impact of a behavioral weakness cannot be assessed. And this is especially true given that (even minor) flaws are commonly chained together to build exploits.
This new process won't be perfect, but it'll be a whole lot closer to reality than the prior process: assigning no CVEs. :)
In conversationTuesday, 27-Feb-2024 00:29:40 JST from fosstodon.orgpermalink

Public

Embed Notice

HTML Code

Corresponding Notice