Conversation

How Kernel Deals With Tracking CVE Issues: https://thenewstack.io/how-linux-kernel-deals-with-tracking-cve-security-issues/ via @TheNewStack & @sjvn

And why, all too soon, most projects must also manage their own Common Vulnerabilities and Exposures.

1
1
1

@sjvn @TheNewStack

Ugh, please don't normalize "every open source projects needs to be a CNA"

Most open source projects don't have the resources to be a CNA and shouldn't need to be a CNA

Curl and the Kernel became CNAs because the CVE process is broken

3
0
0

@joshbressers @sjvn @TheNewStack I'm using our role as CNA to work within and push against silliness in the program, in part to work against said "need". Together with other open source CNAs (to avoid naming names).

Not saying this will succeed of course...

0
2
0

@joshbressers @TheNewStack The EU CRA will force the hand of many. More on that in a forthcoming article.

1
0
0

@sjvn @joshbressers @TheNewStack but nothing in CRA says someone needs to be CNA.

0
0
0
@joshbressers @sjvn @TheNewStack I'm with @badger Linux is a CNA to help fix the CVE process, and so far we have already achieved some change, more to hopefully come.

And the CRA is going to cause other software projects to come to terms with their reporting process, so becoming a CNA is a good step forward in the whole thing.

And besides, what open source project doesn't want to actually control what other people are saying about your project? Just this week we "took back" a CVE issued by a rogue CNA against Linux when they shouldn't have done so. If we weren't a CNA we would never have been able to do so at all.
1
1
5

@gregkh @TheNewStack @badger @sjvn

Working to fix the CVE problems should be applauded

But we need to keep in mind there are open source projects that are one person who spends two hours every other Saturday

Expecting that person to become a CNA is 🍌

They should be able to control their CVE data also, but today they can't

2
0
0

@joshbressers @gregkh @TheNewStack @sjvn agreed.

We are proposing OSS projects to be able opt out of getting CVE records "improved" by CVSS.

We are also discussing how smaller OSS projects could get an existing CNA to deal with their CVEs (their scope really), as if they were a CNA.

This within the "OSS CNA group" that has been started featuring curl, kernel, perl, and lots of linux distros ppl etc.

2
1
1

@bagder @gregkh @TheNewStack @sjvn

I shall be cautiously optimistic this can move the needle, thanks for working on this!

0
0
0

@joshbressers @gregkh @TheNewStack @badger

There''s always that, which is one of the reasons the more I look at the CRA the more concerned I get. E.g. the Apache Airflow croniter affair: https://github.com/pallets-eco/croniter/issues/144

0
0
0
@sjvn @bagder @joshbressers @TheNewStack It's not a formal group within cve.org, just a semi-regular meeting of open source projects who are CNAs to discuss things about being a CNA.
1
0
2