|
|
Subscribe / Log in / New account

A turning point for CVE numbers

A turning point for CVE numbers

Posted Feb 14, 2024 19:28 UTC (Wed) by DemiMarie (subscriber, #164188)
In reply to: A turning point for CVE numbers by jbenc
Parent article: A turning point for CVE numbers

What would be needed to improve quality?

to post comments

A turning point for CVE numbers

Posted Feb 15, 2024 4:09 UTC (Thu) by Darakian (guest, #96997) [Link] (3 responses)

> What would be needed to improve quality?

Funds for a team to test and curate which bugs actually have security implications

A turning point for CVE numbers

Posted Feb 16, 2024 1:48 UTC (Fri) by dralley (subscriber, #143766) [Link] (1 responses)

So... Red Hat / SUSE?

A turning point for CVE numbers

Posted Feb 16, 2024 23:30 UTC (Fri) by Darakian (guest, #96997) [Link]

Ya basically, but ideally part of the kernel org and making security claims about commits rather than compiled objects

A turning point for CVE numbers

Posted Mar 7, 2024 5:50 UTC (Thu) by DemiMarie (subscriber, #164188) [Link]

What about testing stable kernels, to ensure that they are actually stable?

A turning point for CVE numbers

Posted Feb 15, 2024 6:35 UTC (Thu) by marcH (subscriber, #57642) [Link] (3 responses)

> What would be needed to improve quality?

Companies using Linux "for free" should hire fewer amateurs and more "real"software engineers who actually know how to:
- write test code,
- automate their validation
- quickly test stable branches
- bisect regressions
- file good bugs
- [optional] fix regressions themselves

You get what you paid for; if you don't pay for quality, then you don't get quality.

[indefinite "you", not answering anyone in particular]

If stable branches are full of regressions then _prove_ it. Overwhelm them with bug reports and... even more CVEs! The very first step is sharing _evidence_ of the problem, otherwise nothing ever changes.

If nothing changes even after sharing evidence then maybe Linux was too cheap and too good to be true and the wrong choice for you. Either write your own kernel and operating system or buy a better one. Linux has been incredibly successful but many companies still do that.

Whatever you do, before whining remember how much you paid for it.

A turning point for CVE numbers

Posted Feb 15, 2024 15:07 UTC (Thu) by bferrell (subscriber, #624) [Link] (1 responses)

We need to look at why those amateurs are being hired. It's not JUST in code this is happening.

There are simply not enough "qualified" individuals to support the "I want it NOW" world we have. And I don't mean in any given country. So, it's become grab a warm body that comes close, pay the going rate and pray.

If you think the people doing code are under paid, you likely thing they ought to be paid like rock stars... And that too is part of the problem.

A turning point for CVE numbers

Posted Feb 15, 2024 16:11 UTC (Thu) by marcH (subscriber, #57642) [Link]

You're right: as long as the market is happy to keep buying buggy, insecure and unmaintained products that happen to use Linux then who am I to tell anyone to stop making them.

But still: don't come and complain that some Linux branches are buggy when you got them for free and did barely any QA on them yourself. You got what you paid for.

I think there is a perception problem because quality is even less tangible than lines of code. But good companies making quality products (Linux-based and not) know very well how much it's really worth.

A turning point for CVE numbers

Posted Feb 20, 2024 8:50 UTC (Tue) by gmgod (guest, #143864) [Link]

Amen to that


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds