A turning point for CVE numbers
A turning point for CVE numbers
Posted Feb 16, 2024 13:17 UTC (Fri) by hkario (subscriber, #94864)In reply to: A turning point for CVE numbers by bluca
Parent article: A turning point for CVE numbers
If you have a policy that says you need to ship fixes for all CVEs, then that's a stupid policy. It just conditions vendors to refuse each and every CVE until it goes through arbitration (something proprietary vendors already do).
What consumers of CVEs need to do is be selective, evaluate if the CVE is relevant, what are the effects of exploiting it, etc. and only then backport it to the product they ship that uses the kernel or other CVEs. Same for end users, if the bug is in an API that's not used by any software that is running, then, no, you don't have to install updates.
The problem is that all of it requires actual work, not blind adherence to the policy, and it's for security, so the business also doesn't want to spend money for it.
It's a complex problem and there are no simple solutions.
Posted Feb 16, 2024 13:35 UTC (Fri)
by bluca (subscriber, #118303)
[Link] (4 responses)
Nobody I know of has such a policy, so that sounds like yet another of those made-up strawman that the kernel people pushing for this have conjured out of thin air.
We rely on CVE metadata&al to decide whether we need to pick a fix or not. If the metadata is bogus, because the kernel maintainers just flood the system with bogus CVEs, then we can't do that sensibly anymore, and the process is broken.
Posted Feb 16, 2024 13:43 UTC (Fri)
by pizza (subscriber, #46)
[Link] (3 responses)
I worked for a company that had such a policy.
Respectfully, you need to STFU about stuff that is outside your realm of expertise and experience.
Posted Feb 16, 2024 14:09 UTC (Fri)
by bluca (subscriber, #118303)
[Link] (2 responses)
Sounds like a problem in that company then, why should that justify breaking everything for everybody else?
> Respectfully, you need to STFU about stuff that is outside your realm of expertise and experience.
Respectfully, you need to STFU about my expertise and experience, because you have no idea about either (just like I don't about yours)
Posted Feb 16, 2024 15:32 UTC (Fri)
by pizza (subscriber, #46)
[Link]
*shrug* You made an assertion such organizations do not exist (because you didn't know any) and used that to accuse others of making things up or otherwise speaking in bad faith. You were incorrect on both fronts.
You're free to argue that the current status quo has problems (or not). You're free to talk about *your* experiences, and how proposed actions by others will have ill effects on you or third parties.
But you don't get to claim that other people's direct experiences are wrong, incorrect, or irrelevant, and accuse them of bad faith for taking steps to improve the messes they are dealing with, "because you have no idea about either".
Posted Feb 16, 2024 15:49 UTC (Fri)
by pizza (subscriber, #46)
[Link]
Incidently, that company was that way because *EU regulations required them to be*.
(They laid off my research team on the tail end of a major process/policy revamp brought about by new regulations soon to come into effect. I was made to endure many training sessions about how those new/updated regulations affected every part of the overall product lifecycle, from early design to manufacturing to label placement/content to post-sales support to how end-of-life would be handled)
So it's not "that company's problem" so much as "the problem of any company operating in a regulated space"
A turning point for CVE numbers
A turning point for CVE numbers
A turning point for CVE numbers
A turning point for CVE numbers
A turning point for CVE numbers