Re: Linux kernel CVEs not mentioned on oss-security

[Muhammed Mustapha Abiola <1 () mustapha org>]

Isn't this exactly what Vendor-Sec tried to solve?

On Tue, Sep 26, 2017 at 4:04 PM, Greg KH <greg () kroah com> wrote:

> On Tue, Sep 26, 2017 at 04:50:10PM +0200, Agostino Sarubbo wrote:
> > On martedě 26 settembre 2017 09:32:14 CEST Greg KH wrote:
> > > > I guess this would be benefit for all.
> > >
> > > Define "all"
> >
> > You know, for example in Gentoo we are following the upstream releases.
> So
> > from time to time we stabilize a newer kernel that "syncs" with upstream.
> > This does not happen for non-rolling (release) distros that may want to
> patch/
> > backport the security fix.
>
> I understand the issue well, I talk to companies all the time about this :)
>
> The rule for the kernel is, "if a distro/company/user is not following
> the stable kernel updates, they are on their own".  I recommend either
> using the stable kernels, or paying for a company that knows what they
> are doing in this area and provides support (Red Hat, SuSE, etc.)
>
> And if you try to argue "just tell us what needs to be fixed", well, we
> are, am, we are providing about 10-12 patches a day that people should
> be incorporating into their kernels.  Why they ignore that curated and
> tested stream of fixes is beyond me...
>
> Anyway, this is getting a bit off-topic here, sorry for the noise.
>
> Best of luck,
>
> greg k-h