Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/kees/statuses/113193210604201117">Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 25-Sep-2024 00:35:01 JST</a><a href="https://fosstodon.org/@kees" title="kees@fosstodon.org"><img src="https://gnusocial.jp/avatar/107149-48-20230725231521.webp" width="48" height="48" alt="Kees Cook :tux:" style="position: absolute; left: 0; top: 0;">Kees Cook :tux:</a><div><a href="https://social.kernel.org/objects/4a3139dd-3f61-425a-8e64-a7e333838dea" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/232842" title="pavel@social.kernel.org">Pavel Machek</a></li></ul></div></section><article><p><a href="https://social.kernel.org/users/pavel">@pavel</a> <a href="https://fosstodon.org/@KernelRecipes">@KernelRecipes</a> At the LPC CVE BoF, in a room filled with people who care deeply about this topic, there appeared to be consensus that the CNA has traded many false negatives for a few false positives. (I.e. we are now closer to the imagined objective reality of a 1:1 mapping between fixes and CVEs.)</p><p>In the past, with distros and researchers mostly causing the CVE assignments, the implied threat model was that of a distro, and didn't represent other models. (But still missed fixes.)</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3714191#notice-7285189">In conversation</a><time datetime="2024-09-25T00:35:01+09:00" title="Wednesday, 25-Sep-2024 00:35:01 JST">about 2 months ago</time> <span>from <span><a href="https://fosstodon.org/@kees/113193210604201117" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@kees/113193210604201117">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 25-Sep-2024 00:35:01 JSTKees Cook :tux:
in reply to
- Kernel Recipes
- Pavel Machek
@pavel @KernelRecipes At the LPC CVE BoF, in a room filled with people who care deeply about this topic, there appeared to be consensus that the CNA has traded many false negatives for a few false positives. (I.e. we are now closer to the imagined objective reality of a 1:1 mapping between fixes and CVEs.)
In the past, with distros and researchers mostly causing the CVE assignments, the implied threat model was that of a distro, and didn't represent other models. (But still missed fixes.)
In conversationabout 2 months ago from fosstodon.orgpermalink

Public

Embed Notice

HTML Code

Corresponding Notice