The European Open Source Awards ceremony from January 29th, in one loooong recording with yours truly showing up several times.

Most blabbing at 1h24 and onward when @gregkh was up.

https://youtu.be/KXS5KQjWjns?si=bN35SofySbhbtys_&t=150

@bagder @gregkh and (and I know this is not going to be popular among my peer community of vulnerability management), thank you Greg KH for the very best documented and automatable CVE there is today.

And by far.
https://www.youtube.com/watch?v=KXS5KQjWjns&t=5390s
👏 🎉

@jbm The backlash against Linux kernel advisories is confusing. We wanted transparency; now we have it. More data is always better than a black box. If the new influx of CVEs is breaking your vulnerability management workflow, the problem might be your process, not the advisories.

Thanks for the hard work @gregkh

@bagder

@adulau @gregkh @bagder "If the new influx of CVEs is breaking your vulnerability management workflow, the problem might be your process, not the advisories."

200% agree.

Oh and BTW: also 200% agree with kernel policy off "no CVSS, this depends on your use case, which we do not know". CVSS are (mostly) for people who want a list of CVE in an excel file, and forget all the "CVSS < 7.0". This is compliance, NOT security.

PS:
The _only_ thing that I could ask from the kernel is that it should not be considered as a single component (as in "CPE"). It is rather thousands components/CPE, one per kernel configuration option. Yes, it would be difficult.
But useful.
At least for me, building everything from sources in embedded contexts. 😁

@bagder I like the video thumbnail: I can finally realise what @gregkh sees when he looks at us from up there 🤳😊

Congratulations to both of you for your well deserved awards! 🏆

@jbm @adulau @bagder No, we can't do this for kernel config options, which is why we give you a list of files affected. You know what files you build, so filter on that.

CPE doesn't work to attempt to describe a kernel configuration option as that is not what it was designed for. It was an attempt to make a machine-readable version/program definition, and even then, it does not work well anymore. PURL is the hope for the way out of that mess, and based on my conversations with the PURL developers at FOSDEM, there is hope that it will "soon" work for all open source software packages (right now it does not, so the kernel can not use it.)