A turning point for CVE numbers

Posted Feb 16, 2024 11:06 UTC (Fri) by bluca (subscriber, #118303)
In reply to: A turning point for CVE numbers by farnz
Parent article: A turning point for CVE numbers

That's the narrative the kernel developers are pushing - it's complete nonsense of course. Yes there is some abuse, like with any other public input system, but it's nowhere near "flooding" levels. As anybody managing any distro can attest, the noise ratio is very low.

A turning point for CVE numbers

Posted Feb 16, 2024 12:00 UTC (Fri) by pizza (subscriber, #46) [Link] (1 responses)

> That's the narrative the kernel developers are pushing - it's complete nonsense of course.

Look, you may have expertise in some areas (eg knowledge of how EU regs work etc) but that does not automatically make you the domain expert in other areas.

Especially when you're digging in on a position directly contrary to the literal "this is why we're doing this" words coming out of the actual domain experts' mouths.

A turning point for CVE numbers

Posted Feb 16, 2024 12:17 UTC (Fri) by bluca (subscriber, #118303) [Link]

I am part of a team that manages an internal distribution that, among other things, deals with CVEs weekly. Is that enough "street creds" to call bullshit?

Look, every single Linux distribution has systems and teams to deal with CVEs and security updates. Of course there is abuse, of course there are bogus ones being raised. It is not 80%, it is not the majority, it is not flooding. Could things be improved? Sure. Flooding the system with a bogus CVE for every commit is not the way to do that, quite the opposite.