Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/kees/statuses/113187186787698685">Kees Cook :tux: (kees@fosstodon.org)'s status on Monday, 23-Sep-2024 23:54:47 JST</a><a href="https://fosstodon.org/@kees" title="kees@fosstodon.org"><img src="https://gnusocial.jp/avatar/107149-48-20230725231521.webp" width="48" height="48" alt="Kees Cook :tux:" style="position: absolute; left: 0; top: 0;">Kees Cook :tux:</a><div><a href="https://fosstodon.org/@KernelRecipes/113186837980154476" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://fosstodon.org/@KernelRecipes">@KernelRecipes</a> Sometimes people need reminding that CVEs are just a stand-in for the real goal: fixing vulnerabilities. The point of "the deployment cannot have any CVEs" isn't an arbitrary check list. The goal is to get as close as possible to "the deployment cannot have any vulnerabilities".</p><p>The Linux Kernel CNA solves the "tons of false negatives" problem (but creates the "a few false positives" problem), but the result is a more accurate mapping from vulnerabilities to CVEs.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3714191#notice-7274804">In conversation</a><time datetime="2024-09-23T23:54:47+09:00" title="Monday, 23-Sep-2024 23:54:47 JST">about 8 months ago</time> <span>from <span><a href="https://fosstodon.org/@kees/113187186787698685" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@kees/113187186787698685">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Monday, 23-Sep-2024 23:54:47 JSTKees Cook :tux:
in reply to
- Kernel Recipes
@KernelRecipes Sometimes people need reminding that CVEs are just a stand-in for the real goal: fixing vulnerabilities. The point of "the deployment cannot have any CVEs" isn't an arbitrary check list. The goal is to get as close as possible to "the deployment cannot have any vulnerabilities".
The Linux Kernel CNA solves the "tons of false negatives" problem (but creates the "a few false positives" problem), but the result is a more accurate mapping from vulnerabilities to CVEs.
In conversationabout 8 months ago from fosstodon.orgpermalink

Public

Embed Notice

HTML Code

Corresponding Notice