https://lwn.net/Articles/941745/ This is a special feed containing comments posted to the individual LWN article titled "Kernel security reporting for distributions". en-us Wed, 17 Sep 2025 21:14:23 +0000 Wed, 17 Sep 2025 21:14:23 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/943255/ https://lwn.net/Articles/943255/ Cyberax <div class="FormattedComment"> Anybody with a large enough bona-fide product qualifies for these lists, so they are not exclusive.<br> </div> Fri, 01 Sep 2023 03:55:06 +0000 https://lwn.net/Articles/943254/ https://lwn.net/Articles/943254/ gdt <p>It <i>is</i> amazing that such pre-announcement security lists continue to exist. For example, such inter-vendor secret collusion on product development requires an exemption from competition law, as administered by the Australian Competition and Consumer Commission. I've no doubt that the public interest is sufficent for such an exemption to be granted, but the simple fact is that an exemption hasn't been sought, and therefore any participating Australians are in a dodgy legal position. I imagine that many other countries have similar laws regulating participation in international cartel-like behaviour.</p> Fri, 01 Sep 2023 03:02:05 +0000 https://lwn.net/Articles/941943/ https://lwn.net/Articles/941943/ jsegitz <div class="FormattedComment"> (Disclaimer: I work at SUSE)<br> <p> It is good that this is discussed, because this has been simmering for a long time. I see the 14 day requirement by distros as the major problem in the way it is currently run. I understand why solar designer insists on this (it is really tricky to keep information private for any extended time), but this then leads to people working around distros and distributing the information up front, only to notify distros when it's basically already solved and widely known. We (briefly) considered running an alternative, but as described in the article it's next to impossible for an international company to do that.<br> <p> As for Gregs main argument: While I can understand the frustration with the enterprise frankenkernels, it is exactly how Jiri describes it. These kernels are important to businesses for various reasons. They pay for that and this allows these companies to pay kernel developers. Have a look at the development statistics posted here regularly and sum it up, this is far from trivial.<br> </div> Thu, 17 Aug 2023 15:21:30 +0000 https://lwn.net/Articles/941900/ https://lwn.net/Articles/941900/ geert <div class="FormattedComment"> When laws are enacted to make companies responsible for known software vulnerabilities in their products (especially when fixes are available upstream), these companies will adapt, hopefully.<br> </div> Thu, 17 Aug 2023 13:59:50 +0000 https://lwn.net/Articles/941865/ https://lwn.net/Articles/941865/ gray_-_wolf <div class="FormattedComment"> Is there more context to what was meant by<br> <p> <span class="QuotedText">&gt; And note, those "policy decisions of companies" are now known by</span><br> <span class="QuotedText">&gt; governments to be incorrect, and soon will be made illegal in many</span><br> <span class="QuotedText">&gt; countries, so we are on the right side here.</span><br> <p> ?<br> </div> Thu, 17 Aug 2023 12:55:23 +0000