On Tue, Oct 08, 2024 at 01:40:10PM +0200, Pavel Machek wrote:
On Tue 2024-10-08 13:24:31, Greg Kroah-Hartman wrote:
On Tue, Oct 08, 2024 at 01:19:24PM +0200, Pavel Machek wrote:
Hi!
Unfortunately for distributions, there may be various customers or government agencies which expect or require all CVEs to be addressed (regardless of severity), which is why we're backporting these to stable and trying to close those gaps.
Customers and government will need to understand that with CVEs assigned the way they are, addressing all of them will be impossible (or will lead to unstable kernel), unfortunately :-(.
Citation needed please.
To be specific: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-cont...
Yes, I refer to that in my talk I linked to, what they are saying here is great, so work with cve.org to fix it. We can't ignore the cve.org rules while being a CNA, sorry, that's not allowed.
But that link talks nothing about an "unstable kernel" which is what I take objection to. As I always say, never cherry-pick, just take all stable releases. That is proven with much research and publications in the past years, why people don't believe in it is beyond me...
good luck!
greg k-h