Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/kees/statuses/113193250406083254">Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 25-Sep-2024 00:35:00 JST</a><a href="https://fosstodon.org/@kees" title="kees@fosstodon.org"><img src="https://gnusocial.jp/avatar/107149-48-20230725231521.webp" width="48" height="48" alt="Kees Cook :tux:" style="position: absolute; left: 0; top: 0;">Kees Cook :tux:</a><div><a href="https://fosstodon.org/@kees/113193235177481629" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/232842" title="pavel@social.kernel.org">Pavel Machek</a></li></ul></div></section><article><p><a href="https://social.kernel.org/users/pavel">@pavel</a> <a href="https://fosstodon.org/@KernelRecipes">@KernelRecipes</a> Deployments always had an obligation to evaluate vulnerabilities and fix them, but now it has become unavoidable and threat model mismatches are glaringly obvious.</p><p>Yes, it is possible that for a given threat model, there are now a ton of CVEs that will need to have their severity labeled as "don't care". But this was always true -- but no one triaged fixes, they triaged against the prior CVEs, which were a small subset of the distro threat model. Lots of fixes got missed.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3714191#notice-7285191">In conversation</a><time datetime="2024-09-25T00:35:00+09:00" title="Wednesday, 25-Sep-2024 00:35:00 JST">about 9 months ago</time> <span>from <span><a href="https://fosstodon.org/@kees/113193250406083254" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@kees/113193250406083254">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Wednesday, 25-Sep-2024 00:35:00 JSTKees Cook :tux:
in reply to
- Kernel Recipes
- Pavel Machek
@pavel @KernelRecipes Deployments always had an obligation to evaluate vulnerabilities and fix them, but now it has become unavoidable and threat model mismatches are glaringly obvious.
Yes, it is possible that for a given threat model, there are now a ton of CVEs that will need to have their severity labeled as "don't care". But this was always true -- but no one triaged fixes, they triaged against the prior CVEs, which were a small subset of the distro threat model. Lots of fixes got missed.
In conversationabout 9 months ago from fosstodon.orgpermalink

Public

Embed Notice

HTML Code

Corresponding Notice