A turning point for CVE numbers

Posted Feb 15, 2024 11:06 UTC (Thu) by bluca (subscriber, #118303)
In reply to: A turning point for CVE numbers by mokki
Parent article: A turning point for CVE numbers

The problem that the CVE system solves is that it allows users to delegate the initial triaging to the CVE authority. Having millions of users do the triaging themselves from scratch is an horrendous waste of resources, and straight impossible in most cases outside of very large corporations with lots of resources to throw at the problem. Then with automation you filter out what is merely present in your product(s), and then your engineers do a final triage to see if it actually appliers depending on severity, impact and other metadata/information. This makes the whole process manageable, and you can self-certify that there is a sensible process in place to take care of security vulnerabilities, precautions are taken and so on.

But if the kernel tries to game the system by flooding it with bogus CVEs - one for each commit as it was suggested - then the above process breaks, and suddenly companies shipping products will no longer be able to self-certify that. There will be short term solutions, and then there will be long-term solutions, which might very well involve at least recalculating whether it still makes economic sense to rely on Linux.

A turning point for CVE numbers

Posted Feb 15, 2024 14:30 UTC (Thu) by pbonzini (subscriber, #60935) [Link]

> One for each commit as it was suggested

It's not going to be one for each commit according to Greg. https://lwn.net/ml/linux-kernel/2024021447-fastball-twili...

I am cautious about the announcement. If the floodgates open but the result is useful, I hope that whatever tooling distros create to handle kernel CVEs will be public. And also perhaps it will encourage more people to do stable backports of patches that do not apply directly.

If the result is useless, on the other hand, I will just stop suggesting patches for stable. *shrug*