I'm sad to say that we're following the lead of many others and putting in proof-of-work proxies into place to protect ourselves against "AI" crawler bots. Yes, I hate this as much as you, but all other options are currently worse (such as locking us into specific vendors).

We'll be rolling it out on lore.kernel.org and git.kernel.org in the next week or so.

@sjvn @bagder @joshbressers @TheNewStack It's not a formal group within cve.org, just a semi-regular meeting of open source projects who are CNAs to discuss things about being a CNA.

How #Linux Kernel Deals With Tracking CVE #Security Issues: https://thenewstack.io/how-linux-kernel-deals-with-tracking-cve-security-issues/ via @TheNewStack & @sjvn

And why, all too soon, most #opensource projects must also manage their own Common Vulnerabilities and Exposures.

@joshbressers @sjvn @TheNewStack I'm with @badger Linux is a CNA to help fix the CVE process, and so far we have already achieved some change, more to hopefully come.

And the CRA is going to cause other software projects to come to terms with their reporting process, so becoming a CNA is a good step forward in the whole thing.

And besides, what open source project doesn't want to actually control what other people are saying about your project? Just this week we "took back" a CVE issued by a rogue CNA against Linux when they shouldn't have done so. If we weren't a CNA we would never have been able to do so at all.

Excellent #keynote by @gregkh at #KubeCon #CloudNativeCon on why we need #Rust in the #Linux kernel, including:

➡️ Standardize, "automate" error handling
➡️ Enforce lock acquisition, automate release
➡️ Type safety

As an important side-effect, switching from C to Rust requires you to ensure APIs fit the cleaner error handling/locking/type paradigms.

To ensure Linux stays secure and maintainers sane.

He also recommended the following 90-minute presentation: https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah

@jduck We assign on average, 13 CVEs a day for the kernel, what's one more? :)

Seriously, nice job, thanks for seeing the issue through. syzbot finds loads of stuff, we have a lack of people doing the work to fix everything it finds.

Many in open source are still unaware of how the Cyber Resilience Act will impact projects and businesses. This blog breaks it down.

Stay informed: https://www.linuxfoundation.org/blog/unaware-and-uncertain-is-the-open-source-community-prepared-for-the-new-regulatory-reality-of-the-cyber-resilience-act

The initial set of speakers and talks for ER is now published. A few highlights:
- @gregkh on the EU Cyber Resiliency Act (CRA)
- barriers to security on embedded systems
- Steam OS impact on Linux ecosystem
- Functional Safety on Linux
- writing real-time applications
- fully open source CNC and 3D printing

and many more: https://embedded-recipes.org/2025/speakers/

@rpardini @torvalds Yup, is there now, sorry for the delay.

Fun, but long, interview with me about how the Linux development process works was just released: https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah

It's not all boring, I talk about Rust and our lack of project managers (both good things IMO) so there's lots for people to be grumpy about if you are so inclined.

Registration is now open for ER 2025! We hope you can join us this year in Nice, France.
https://embedded-recipes.org/2025/attend/

@AugierLe42e Hopefully yes, but it depends on the firmware on the hub itself, it's not under control of the operating system at all.

@AugierLe42e Look at how the "port" is found when you do something like 'lsusb -t', I think that should help out here. Good luck!

@sjn @cpansec Thanks for the clarification, and yes, I will mention it!

@bagder As Red Hat just became a root at the same time Perl became a CNA, odds are that wasn't an option yet. But yes, going forward I think having most/many open source groups be under Red Hat is a good option to help reduce the load on MITRE.

Perl is now a CNA, able to assign their own CVE ids, this is great news!
https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html

Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this:
https://lfms25.sched.com/event/1urXE/take-control-over-your-projects-cve-entries-before-someone-else-does-greg-kroah-hartman-linux-foundation

At least once a day I'm reminded of this slide from @bagder last year at FOSDEM

@hughsie What about the real CVE github repo at https://github.com/CVEProject/cvelistV5.git ? Never trust the "additions" that NVD adds to cve records, they are often totally incorrect in odd ways. Stick to the raw records please.

Having all CVEs in one git repo makes it easy to use 'git grep' to search.

What comes after world domination?

This is the abstract for my scheduled talk at foss-north 2025 in April. What do you think is next?

https://foss-north.se/2025/

Where's all the commentary and speculation for good kernel rust stories? https://www.phoronix.com/news/Linux-6.14-Faux-Bus-Merged