@krzk May all kernel developer's CVs be filled with CVEs, think of it as an early holiday present :)

@Conan_Kudo @joshbressers Oh, I don't think we are going to have the "not issuing enough CVEs" problem for the kernel, if anything, it's going to be the opposite.

And people shouldn't "fear" a CVE, it's just a hint of "hey, here's a bugfix that might pertain to you!" type of a signal. It's up to the receiver to determine if it does or not.

The main objection the kernel developers had previously about CVEs is that they were NOT an accurate signal at all, and were being totally abused by one company who used them to route around their broken internal engineering practices.

@joshbressers I disagree, open source projects becoming CNAs to prevent others from attempting to dictate what is, and is not, a "security issue" in their software is a key "taking responsibility" step as well as a "preventing others who abuse the CVE process from wasting everyone's time" which is what has been happening to many open source projects for quite a while now.

It really isn't much work to be a CNA, they have made the process very easy, highly recommended for any other open source project to do as well.

@Di4na @joshbressers @kurtseifried @B97 No updates means that there's nothing for you to update to, so again, what's the issue? :)

Seriously, yes, software needs active maintenance, if you rely on it, help provide that maintenance where needed and possible. If no maintenance is possible, then look to use other software instead, or not at all (custom Makefiles are always fun!)

@Di4na @joshbressers @kurtseifried @B97 autotools are great, updating to the latest version is usually a good idea anyway, why wouldn't you want to do that? Many distros do this quite well already, what do they know that others do not?

@kurtseifried @B97 @joshbressers The "simple solution" for all of this is just to have open source projects say "You must update to our latest version, it fixes all known issues at this time".

That's what we have done in the kernel for a very long time, and I predict this fascination of unique identifiers somehow meaning something is going to go away over time as it's obviously not sustainable for anyone involved.

Now if users of any type of software don't want to constantly update, then that is their fault, not the fault of the project itself. If the project doesn't provide stable updates, then no one should be using that software in the first place :)

https://lore.kernel.org/lkml/2024021430-blanching-spotter-c7c8@gregkh/ is the v3 version of the kernel CVE process documentation patch, which should address a number of reported issues in the first version (v1 suffered from being an older version, my fault.)

@kernellogger That's kind of a "if a tree falls in a forest and no one hears it, does it make a sound?" type of question, right?

Yes, if no one tells us that a specific issue/bugfix/whatever should have a CVE, and it doesn't get backported to stable (which will automatically trigger the review for CVE assignment), then you are correct, nothing will be assigned as obviously, no one noticed it.

So there is no sound :)

Linux is now a CNA: http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/

This has taken a long time, I'd like to thank all the groups that helped, and especially the CVE group themselves. Our application was a bit different than other groups, but they understood that this is important for security overall.

@joostruis Yeah, I was there for that talk, there was a bunch of us kernel developers in the back corner cringing at times for that talk. Much is wrong when it comes to Linux but to be fair, there's not much way for him to have known that as it would take a kernel developer to.

But it's a good talk, recommended, MINIX is where I learned C in University, and it is a great learning tool for many things.

Slide from a college lecture about Linux this year. While it's not exactly wrong, I don't think it is all that complete, and accidentally humorous. I feel for the kids...

I would like to clarify my earlier comment: I'm not saying LF is not supportive of my work -- in fact, I've always been encouraged to do whatever is necessary to make the Linux development community happy and productive, and there has always been solid backing for it from LF management and fellow IT team members.

However, I do have to manage multiple priorities and my #1 priority remains supporting the LF IT backend infrastructure for kernel.org (plus a few other similarly aligned projects), in addition to managing a small team of fellow IT pros. If I have to choose between working on tooling and working on something that requires attention from the infra side of things, the infra work is always prioritized for practical/operational/security reasons.

So, when I say that "my request hasn't been approved yet" I don't mean it in the sense that someone is telling me not to work on b4 or bugbot -- it just means that we haven't properly reallocated resources to allow me to prioritize tooling work -- yet. To properly request these resources, I need to present a clear vision of what we are trying to accomplish, why it makes sense to work on that (as opposed to, say, just moving things over to some large commercial forge and telling everyone to switch to that), and how this effort helps Linux development in the overall scheme of things. I'm sure we'll get there soon, I'm just explaining why we're not there yet (and hence why some cool stuff I've talked about hasn't made it to b4). :)

Some weekend stable kernel updates https://lwn.net/Articles/958860/ #LWN

After 4 years the strlcpy() API has been fully removed from the Linux kernel. Long live strscpy().
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d26270061ae66b915138af7cd73ca6f8b85e6b44

Next up, strncpy()!
https://github.com/KSPP/linux/issues/90

"We estimate the supply-side value of widely-used OSS is $4.15 billion, but that the demand-side value [replacement value for each firm that uses the software] is much larger at $8.8 trillion. We find that firms would need to spend 3.5 times more on software than they currently do if OSS did not exist."

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4693148

@monsieuricon no, it was delayed a bit, came a full second later :)

"We are sending you your account credentials in an encrypted Microsoft Word file with the password sent separately."

— How to say you are a government agency without saying you are a government agency.

@mripard @kernellogger And look, it does, through the kernelci project! If companies really cared, they would provide developers and resources to work on kernelci more, I know they can always use the help to make it better.

@spbnick @kernellogger I have always wanted a good CI feedback loop, which is why I worked on pushing everyone to support kernelci, and kernelci is getting better, but is not quite there yet. Slowly it is getting there.

@Logical_Error What vendor isn't providing kernel source for their phone? I haven't seen that in a long time, except for some China-based non-name ones, and even then it's not too hard to find the source with a bit of searching. Now replacing the kernel on the device is a different story, good luck with that!