oss-sec mailing list archives
Re: linux-distros list policy and Linux kernel
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 17 May 2022 03:30:33 +0000
On Mon, May 16, 2022 at 03:12:20PM +0200, Jason A. Donenfeld wrote:
So I think a lot of the kernel's commit message obfuscation and unusual disclosure ideas stem from a sort of collective sigh and desire not to join the circus of security performers. They'll commit the fix, because
I have seen some kernel developers say that the "security bugs" that get attention are no different from dozens of other bugfixes that are committed to the kernel every cycle. If I've understood the complaint correctly they feel like we, the security community, are engaging in a dog-and-pony show around ten percent of the actual problems in the kernel. The other ninety percent get obfuscated commit messages and no one makes a fuss, because it's just way easier that way. I suspect there's some truth to it. (We get hyperbolic reports from security researchers with proof-of-concept exploits that are basically syzkaller reproducers and while they look like they're real issues, it's hard to get excited when it's just .1% of syzkaller's findings.) Is this how the wider kernel community sees the various downstream security efforts? If this accurately describes feelings held by Linux developers, perhaps we need larger changes. Ubuntu has (far too many) kernel trees and the only way we can keep track of the CVEs is via our break-fix lines that show when issues were introduced and when they were fixed. The Fixes: lines in commit messages are wonderful assistances here. Given how much effort it takes me to assign CVEs for kernel issues, I've wondered before if we (me, us, the community as a whole, etc) ought to have a very standard and lightweight way to publish kernel CVEs, something that's not much more than the Fixes: lines already in the commits. I know this discussion didn't start around assigning CVEs to kernel issues, but if we're missing more than we're handling, perhaps it ought to be part of the discussion. Thanks
Attachment:
signature.asc
Description:
Current thread:
- linux-distros list policy and Linux kernel Solar Designer (May 15)
- Re: linux-distros list policy and Linux kernel Igor Seletskiy (May 15)
- Re: linux-distros list policy and Linux kernel Anthony Liguori (May 15)
- Re: linux-distros list policy and Linux kernel Jason A. Donenfeld (May 16)
- Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo (May 16)
- Re: linux-distros list policy and Linux kernel Greg KH (May 16)
- Re: linux-distros list policy and Linux kernel Seth Arnold (May 16)
- Re: linux-distros list policy and Linux kernel Greg KH (May 16)
- Re: linux-distros list policy and Linux kernel Jason A. Donenfeld (May 17)
- Re: linux-distros list policy and Linux kernel Greg KH (May 17)
- Re: linux-distros list policy and Linux kernel Jeremy Stanley (May 17)
- Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo (May 17)
- Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo (May 16)
- Re: linux-distros list policy and Linux kernel Vegard Nossum (May 20)
- Re: linux-distros list policy and Linux kernel Solar Designer (May 22)
- Re: linux-distros list policy and Linux kernel Sam James (May 22)
- Re: linux-distros list policy and Linux kernel Greg KH (May 22)