Re: RFC: Starting a stable kernel series off the 2.6 kernel

[Florian Weimer]

* Arjan van de Ven:

>> Well, if there's a CVE name, the proper patch isn't *that* far away
>> (someone has already done a bit of work to isolate the fix).  The real
>> issue seems to be how to make sure that CVE names are assigned during
>> the kernel development process (and not just as an afterthought by the
>> security folks).
>
> security@xxxxxxxxxx works that way already in a way.

As far as I know, many of the recent CVE assignments for kernel
vulnerabilities have been done by MITRE, requested by individuals
which are neither known as kernel developers, nor vendor security
folks (for "vendor" as in "we have our own legal department with real
lawyers").

Maybe the source of CVE assignments paints a wrong picture.  But if
the CVE picture is correct, vendor-paid kernel developers help behind
the scenes, but there is little interest in openly documenting
security issues, so that users (and what kernel.org considers fringe
distros) can apply the relevant patches if they use kernel.org
kernels.

>From a vendor POV, the lack of official kernel.org advisories may be a
feature.  I find it rather disturbing, and I'm puzzled that the kernel
developer community doesn't view this a problem.  I know I'm alone,
and there are certainly part-time security guys who would be willing
join forces to create something like a kernel.org security bug
database.  But the only answers we get is that everything is fine,
vendors handle the situation, security@xxxxxxxxxx actually does this
already, etc.

> The hardest part is actually knowing which versions are affected,

First, you need to know that the patch plugs a security hole. 8-) This
isn't always obvious based on the patch, even if the fact is known to
the comitter.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/