upvote

points

by troad12 hours ago |
comments
upvoteby plg9411 hours ago|
next
[-]
> Why isn't it the job of the distros to keep up on upstream security disclosures?

They can't, because (responsible) security disclosures are private, _not public_. That's the whole point of the system: notify the developers in private ahead of time (usually 30, 60 or 90 days) so they can write, test and roll-out the fixes before you release the info to the whole world. This is to minimize the time between when bad actors gain access to the exploits vs. when users install the patch. So "keeping up on security disclosures" cannot ever be a 'pull' process.

Usually the maintainers of the big distros are part of (private) security mailinglists and receive such info. Just not in this case it seems.

reply
upvoteby krzyk6 hours ago|
parent|
[-]
It would be best if distros kept tap on kernel changes and update as soon as possible when they see a security issue fixed.

Sending emails to some big distros would still result with e.g. Gentoo not getting that info because they are not a big distro.

reply
upvoteby maybewhenthesun5 hours ago|
parent|
next
[-]
The problem is that the kernel devs (correctly imo) consider all bugfixes security fixes. So the distros need to decide for themselves which ones are important enough to warrant an update. Apparently this one had a quite unclear commit message, so it importance was missed.

Not ideal, but also: shit happens? It's always a balancing act choosing the lesser of multiple evils and most of the time it seems to work ok-ish, which is probably the best we can hope for ;-P

reply
upvoteby gpvos5 hours ago|
parent|
prev|
[-]
The kernel maintainers don't flag "security fixes" as special, and they have a well-thought-out reason for that, see many other comments in this thread.
reply
upvoteby __bjoernd4 hours ago|
parent|
[-]
That, and they flag pretty much any random patch with a CVE these days, making it harder for distro maintainers to keep up.

For this specific "bug" they took care to not mention any security angle in the commit message, making it extremely hard for an outsider to even realize this was a critical patch. I assume this was because they wanted to push the fix without breaking embargo.

reply
upvoteby bathtub36511 hours ago|
prev|
next
[-]
Where do you suggest they should have kept up on this disclosure?
reply
upvoteby 12 hours ago|
prev|
next
[-]
deleted
reply
upvoteby qotgalaxy12 hours ago|
prev|
[-]
> Expecting a FOSS project to go track down all of its (millions of?) users seems like a very unreasonable expectation, and is well outside of their scope of responsibility.

The post you are responding to says that it would be nice if they copied literally one mailing list.

reply