Posts
290
Following
87
Followers
3123
gregkh

Greg K-H

Finally converted usbutils over to meson from autotools. Odds are I messed something up, so I should do a release soon to see what broke in the distros as I have no idea how they package this thing anymore:
https://git.sr.ht/~gregkh/usbutils/commit/86dcab8964901d15b87b156546559c8ae28bd9fe
4
8
21
gregkh
repeated
jelly@dodgy.download

jelly

New blogpost about creating bit-by-bit reproducible images with mkosi(!)

https://vdwaa.nl/mkosi-reproducible-arch-images.html

#archlinux #systemd #mkosi

0
6
1
gregkh
repeated
vbabka

Reply to @jarkko
Edited 7 months ago
@jarkko
1
4
16
gregkh
repeated
monsieuricon

K. Ryabitsev 🍁

My boss: "how is that Gemini AI trial going? Are you making good use of it?"
Me: "Oh, yeah, for sure."
1
15
34
gregkh

Greg K-H

Reply to
@kurtseifried @joshbressers Your TV (i.e. all TVs) was running Linux for 15+ years now, it's always been there, just no one noticed...
1
0
0
gregkh

Greg K-H

Reply to @jarkko
@jarkko @kernellogger @pinganini You mean like I posted how to do back in 2013: http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/
? No need even for shim!
2
0
2
gregkh

Greg K-H

Reply to
@kurtseifried That's a really good point, the "open source" ecosystem being a CNA is very new, I don't think this was even possible until less than a year ago when python blazed that trail.

And it's nice to see we aren't alone here with "big numbers", it's going to be an interesting thing to watch shake out as "take responsibility" rules/laws come into being in different locations. I agree with you in that the quantity is just going to get larger over time.
0
0
1
gregkh

Greg K-H

Reply to @aho@mastodon.social
@aho Two totally different things (laptop vs. semi-embedded tiny thing with a horrible CPU that no one would purchase so they gave a few shipping containers full of the things away to some people who found a way to use them.)

No comparison at all :)
1
0
2
gregkh

Greg K-H

In non-CVE news, here's some fun hardware I got while visiting Hong Kong. It's not the snappiest laptop I've ever used, but it holds potential!

Kernel source is all public (there's a 6.1.y and 6.6.y tree at the moment), hopefully will start working on getting it all merged upstream to make it a proper platform for others to use.
3
9
32
gregkh

Greg K-H

Reply to @brahms@chaos.social
@brahms @kurtseifried We are not "trolling" anyone, we are doing explicitly what the CVE.org board and staff have required us to do in order for us to be a CNA.
2
1
1
gregkh

Greg K-H

Reply to
@kurtseifried Note, 3000 includes the "old" things we are backfilling from the GSD database, not just the ones that have shown up this year since we started in February. So while 3000 sounds big, if you are using a modern kernel (i.e. something from this year), it's only 1500+ issues to be assigned so far.

Sorry to nit-pick, just wanted to be specific as 3000 in 6 months originally seemed like a lot to me before I went back and looked at these numbers.

Also, for those who want to play along on their own, just clone our vulns.git repo at git.kernel.org and look at the information directly there yourself, it's all being reviewed and assigned in the open, unlike other projects...
0
0
4
gregkh

Greg K-H

Reply to @mathaetaes@infosec.exchange
@mathaetaes @kurtseifried No one is forcing you to! But note, if other operating systems are not reporting these same types of numbers, then they just aren't reporting things that actually get fixed, or nothing is being fixed at all in them. It's up to you to determine which is the case for those systems :)
2
0
8
gregkh

Greg K-H

Reply to
@kurtseifried Yeah, it's only about 60 a week, a bit more than I originally guessed, but not out of the expected range at all.
0
0
1
gregkh

Greg K-H

Reply to @dermoth@noc.social
@dermoth All of those commits we are reviewing are already public and have been for weeks, to somehow think that the "bad guys" are not watching our commit stream as-it-happens is to imply that they don't know what they are doing :)

So there is no benefit or need to be "private" about tagging specific commits as CVEs before we do so as you should have already taken all of these fixes weeks ago anyway.
0
0
1
gregkh

Greg K-H

Reply to @schrotthaufen@mastodon.social
@schrotthaufen @pavel @kernellogger CVE assignment is ANYTHING but automatic. All changes are reviewed by 4 people in different ways and we vote/discuss them all, in public. Anyone is welcome to help us with this review, it's only about 34 changes a day to keep on top of.

Yes, once we agree "this commit should get a CVE" we have tools to make the assignment and publish the notice in an automated way, but all CNAs have something like that (if they don't they are wasting a lot of time doing it by hand.)
1
2
4
gregkh
repeated
kernellogger@fosstodon.org

Thorsten Leemhuis (acct. 1/4)

I'd really like to read a well researched article that sums up how Linux distros reacted to the massive influx of CVE that started ~half a year – both for their packages and their live-patching offerings.

But I guess that is an enormous amount of work that no media outlet in this world is willing to pay anyone for writing. 😕

Slide taken from @gregkh's "Why are there so many kernel CVEs?" talk he gave at OSS China yesterday (https://social.kernel.org/objects/c9979d9f-399f-428b-ac56-c41598076dfa )

4
2
0
gregkh
repeated
sjvn@mastodon.social

sjvn

Don't panic! It's only 60 Linux CVE security bulletins a week https://zdnet.com/article/dont-panic-its-only-60-linux-cve-security-bulletins-a-week/ by @sjvn

Sure, it sounds like a lot, but it's just business as usual for .

1
2
0
gregkh

Greg K-H

Reply to
@kurtseifried It's not like we weren't doing this before Febuary, we were, our rate of fixing hasn't changed at all from what I can tell.

Here's a good summary of the talk from @sjvn : https://www.zdnet.com/article/dont-panic-its-only-60-linux-cve-security-bulletins-a-week/
0
1
1
gregkh

Greg K-H

Here's a link to the slides for my "Why are there so many kernel CVEs?" talk I gave at OSS China yesterday:
https://kccncossaidevchn2024.sched.com/event/ed2b39a9a0cdfc1df18de67ce0c2f6be

Link to git repo for the slides if the schedule site acts odd for you:
https://git.sr.ht/~gregkh/presentation-security

It was fun, and will be the "set up" for my Kernel Recipes talk in Paris in a few weeks (only 3 conferences to go between now and then, travel is back in full swing.)
4
26
37
gregkh
repeated
pabloyoyoista@social.treehouse.systems

pabloyoyoista

Ok, so the day has come. On the context of getting "/usr merge" on alpine, I am going to try update the FHS.

9 years after it was updated, big parts of it are out-of-sync with the current Linux distro conventions.

We (@postmarketOS) already pinged the @linuxfoundation about it in February, and their suggestion was to get somebody interested to do the work. So let's start that process now! Since the FHS mailing list seems defunc (I subscribed and sent an email in February that never got added to the archive), please send me an email at pabloyoyoista@postmarketos.org so we can get a list of people to start discussing the process

4
12
1
Show older
About social.kernel.org

Terms of service

  1. Please do not use this service in violation of the Linux Kernel Code of Conduct. Doing so will result in your account suspension with the referral of the matter to the CoC committee.

  2. "Repeating"/"boosting" someone else's status on this platform will be treated as endorsement and will fall under rule #1.

  3. You are encouraged to use this platform to promote your work on the Linux Kernel, but there is no restriction on permitted topics (with the exception of anything covered by #1 above).

  4. There is no requirement to post in English, but it should be considered the primary language of communication on this platform.

Privacy notice

The admins of this service have access to all posted statuses. They aren't looking, but if it's something they shouldn't know about, then you should not post it on this platform.

Please see the Linux Foundation Privacy Policy, which applies to this platform as well.

Getting your own account

If you would like an account on this instance, please check that the following applies to you:

  • You are listed in MAINTAINERS or CREDITS

  • OR: You have a kernel.org account or email address

  • OR: You have a long and established history of involvement with the Linux Kernel

If the above is true and you agree with the Terms of Service and Privacy Notice listed above, please use these instructions to request an account: