Sounds like a job for the Linux Foundation maybe?
replyYou don't need anyone's permission to make a distro, that's true, but if you notify Debian, Canonical, Fedora, Red Hat and Arch you're covering a very large fraction of users; way more than today's 0%. In cases like this, perfect is the enemy of the good.
The Linux Foundation hasn't been about Linux (except marginally) in a long while, if ever.
replyThe name is a misnomer.
A rogue actor may create a new distro, maybe for some niche use case such as accessibility or retro gaming. After acquiring enough false (and even some real) users that the Linux Foundation accepts them as a notifiable distro maintainer, this maintainer could then pwn machines before the exploit is made public.
replyI didn't say all distros should be notified, for that exact reason. I listed a handful of major fistros.
replyWho gets to decide who the lucky few are?
replySounds like a job for the Linux Foundation maybe?
replyHuman beings
replyQualified by what?
replyAre you implying it requires expertise to figure out the ten (plus or minus a factor of two) biggest distros? I think most people that understand the context of the question can figure out pretty similar lists.
replyRather than the current situation, where they can pwn machines after the exploit is made public?
replyYes. After the exploit is made public, the window of opportunity closes quickly.
replyUh, there is a list, named "linux-distros", which is for this purpose (and I think it's for more than just Linux, e.g. I believe it was used for the xz vuln).
replyGiven this was announced when backports weren't ready (and given the POC was at least opaque if not obfuscated), I'm getting the vibe fixing the vuln wasn't as high as a priority as making a media splash.
From TFA:
reply> Note that for Linux kernel vulnerabilities, unless the reporter chooses > to bring it to the linux-distros ML, there is no heads-up to > distributions.
so, no, `linux-distros` list don't solve the problem.
The impacted user count of your debian fork with custom compiled kernel would probably not be more than 1 however.
reply