upvote

points

by baggy_trough21 hours ago |
comments
upvoteby staticassertion17 hours ago|
next
[-]
Greg and Linus do not believe in the entire concept of "vulnerabilities" in the Linux kernel and do not believe in the methods that distros use like cherry picking, therefor they typically are against issuing CVEs, scoring CVEs, describing vulnerabilities at all (if you use the word "vulnerability", your patch will be rejected), etc.

It's fundamentally their position to not work the way that you describe.

reply
upvoteby Hendrikto4 hours ago|
parent|
next
[-]
I would like to read more about this. Do you have a source?
reply
upvoteby staticassertion3 hours ago|
parent|
[-]
http://www.kroah.com/log/blog/2026/02/16/linux-cve-assignmen...

I'd start with Greg's own words. You can probably find more on it from Spender/grsecurity's blog.

reply
upvoteby baggy_trough17 hours ago|
parent|
prev|
[-]
That doesn't really seem to map onto the situation since Greg himself released a 6.12 with the patch earlier today.
reply
upvoteby staticassertion17 hours ago|
parent|
[-]
I don't know what you mean at all. I'm just repeating known kernel policy here. What does 6.12 have to do with anything?
reply
upvoteby baggy_trough16 hours ago|
parent|
[-]
What is your interpretation of why Greg KH released a version of 6.12 with this fix in it today, other than to help distributions avoid this vulnerability?
reply
upvoteby staticassertion3 hours ago|
parent|
[-]
Why would he ever... not release a new version? I don't get what you're trying to say - I'm stating Greg's explicit policy on the topic. If he did something outside of that policy, that wouldn't change anything.
reply
upvoteby baggy_trough2 minutes ago|
parent|
[-]
If he doesn't believe in the "concept of vulnerabilities" then it is remarkable that he released a 6.12 targeted on this one fix. Why would he do that otherwise?
reply
upvoteby bonzini20 hours ago|
prev|
next
[-]
Partly they already have enough on their plate. It's up to the reporter to pick how to handle the disclosure, and unless a specific maintainer chooses to handle it, the Linux security team clearly says they won't.

Partly they have a strong belief that all kernel bugs are vulnerabilities and all vulnerabilities are just bugs; sometimes taken to the extreme in both ways (on one hand this case where the vulnerability is almost ignored; on the other hand, I saw cases where a VM panic that could be triggered only by a misbehaving host—which could just choose to stop executing the VM—was given a CVE).

reply
upvoteby staticassertion17 hours ago|
parent|
next
[-]
This couldn't be more backwards. This has literally nothing to do with bandwidth. The kernel is a CNA, they are explicitly the ones to do this.

The reason they don't is because Linus and Greg have repeatedly, publicly stated that they don't want to because they don't believe that vulnerabilities conceptually make sense for the linux kernel and they refuse to engage in the process.

reply
upvoteby bonzini11 hours ago|
parent|
[-]
> they don't believe that vulnerabilities conceptually make sense

That's exactly what I wrote: "they have a strong belief that all kernel bugs are vulnerabilities and all vulnerabilities are just bugs; sometimes taken to the extreme in both ways".

But there is also a question of bandwidth. If a maintainer asks to bring a specific vulnerability to distros-list, the kernel security people will be reasonable. I did it last March.

reply
upvoteby baggy_trough19 hours ago|
parent|
prev|
[-]
Seems a little crazy. Somebody should evaluate blast radius and do appropriate distro notifications in a case like this (I presume the impact was part of the disclosure, so not much extra work).
reply
upvoteby seanhunter19 hours ago|
parent|
[-]
You know the linux kernel is a free software project right? If you think “somebody should” do a thing but you aren’t prepared to do it yourself then you should maybe ask for a full refund.
reply
upvoteby baggy_trough18 hours ago|
parent|
[-]
Thank you very much, seanhunter. You hit the nail on the head there.
reply
upvoteby bonzini11 hours ago|
parent|
[-]
Not really, because they made Linux a CNA specifically to own the process and distort it the way they want it to be.
reply
upvoteby bluepuma7719 hours ago|
prev|
next
[-]
Well, how do you define main Linux distros? Isn’t the next smaller one not receiving the info always complaining?
reply
upvoteby throw0101a15 hours ago|
parent|
next
[-]
> Well, how do you define main Linux distros? Isn’t the next smaller one not receiving the info always complaining?

For a first approximation: Ubuntu, Debian, RHEL(-derived) to begin with, and SuSE which is in EU/server space (AIUI):

* https://commandlinux.com/statistics/most-popular-linux-distr...

* https://commandlinux.com/statistics/linux-server-market-shar...

Seems like Gentoo, Arch, Mint, and Slackware could also be as well:

* https://distrowatch.com/dwres.php?resource=major

U/Deb/RHEL are 'upstream' of a lot of other projects, and fixes would trickle down to Rocky, Alma, etc. Perhaps VM OS in cloud (AWS, Azure) could be a usage gauge as well.

reply
upvoteby baggy_trough18 hours ago|
parent|
prev|
[-]
Isn't there already a distro security list for this purpose?
reply
upvoteby 20 hours ago|
prev|
next
[-]
deleted
reply
upvoteby shimman17 hours ago|
prev|
[-]
Because one of them might have an incentive to not do so. In this case it's because they want to advertise their own company.
reply