How #Linux Kernel Deals With Tracking CVE #Security Issues: https://thenewstack.io/how-linux-kernel-deals-with-tracking-cve-security-issues/ via @TheNewStack & @sjvn
And why, all too soon, most #opensource projects must also manage their own Common Vulnerabilities and Exposures.
Ugh, please don't normalize "every open source projects needs to be a CNA"
Most open source projects don't have the resources to be a CNA and shouldn't need to be a CNA
Curl and the Kernel became CNAs because the CVE process is broken
@joshbressers @sjvn @TheNewStack I'm using our role as CNA to work within and push against silliness in the program, in part to work against said "need". Together with other open source CNAs (to avoid naming names).
Not saying this will succeed of course...
@joshbressers @TheNewStack The EU CRA will force the hand of many. More on that in a forthcoming article.
@sjvn @joshbressers @TheNewStack but nothing in CRA says someone needs to be CNA.
@gregkh @TheNewStack @badger @sjvn
Working to fix the CVE problems should be applauded
But we need to keep in mind there are open source projects that are one person who spends two hours every other Saturday
Expecting that person to become a CNA is 🍌
They should be able to control their CVE data also, but today they can't
@joshbressers @gregkh @TheNewStack @sjvn agreed.
We are proposing OSS projects to be able opt out of getting CVE records "improved" by CVSS.
We are also discussing how smaller OSS projects could get an existing CNA to deal with their CVEs (their scope really), as if they were a CNA.
This within the "OSS CNA group" that has been started featuring curl, kernel, perl, and lots of linux distros ppl etc.
@bagder @gregkh @TheNewStack @sjvn
I shall be cautiously optimistic this can move the needle, thanks for working on this!
@joshbressers @gregkh @TheNewStack @badger
There''s always that, which is one of the reasons the more I look at the CRA the more concerned I get. E.g. the Apache Airflow croniter affair: https://github.com/pallets-eco/croniter/issues/144
@bagder @joshbressers @gregkh @TheNewStack Where is the OSS CNA group? I don't know it.