"hi I am Greg, this is wrong, everything I say is public information and *not* under NDA" - @gregkh on stage of the #GoogleAndroidBootcamp

Saturday's stable kernel updates https://lwn.net/Articles/969732/ #LWN

Four stable kernel updates https://lwn.net/Articles/969352/ #LWN

Just a reminder: only a week to hear me babbling about Linux kernel DTS validation and shared reset GPIOs on Embedded Open Source Summit/OSSNA 2024. Don't miss it and come to say hi!
EOSS: https://sched.co/1aBEf
OSSNA: https://sched.co/1aPvr

Well, I finally have data to back my model of the software world out there. And the data is relatively solid and shows what I keep saying.

You are all on our turf now. Please accept that you have no idea what you are talking about. Sit down. Listen. Ask questions.

But respect our work. We are trying to keep the world running, 1h per month.

https://www.softwaremaxims.com/blog/open-source-hobbyists-turf

Eight new stable kernels https://lwn.net/Articles/966755/ #LWN

Minister Adriaansens: verhuizing SIDN naar Amazon 'nog geen voldongen feit' https://tweakers.net/nieuws/220102/minister-adriaansens-verhuizing-sidn-naar-amazon-nog-geen-voldongen-feit.html

For your Sunday reading: https://arxiv.org/pdf/2402.05212.pdf "An Investigation of Patch Porting Practices of the
Linux Kernel Ecosystem" in which different distros, and Android, are evaluated as to how up to date they stay with upstream fixes. Note that RHEL or CentOS is not evaluated "because of the lack of public git repositories or insufficient data."

About time someone started writing papers about this stuff...

We're #hiring at the @openssf !

Our mission is to ensure the security of open source software for all.

Are you a seasoned Technical Program Manager excited about #cybersecurity and #opensource who wants a full-time #remotejob?

Apply: https://openssf.jobboard.io/jobs/314008394-technical-program-manager-at-openssf

I feel terrible, but I haven't laughed this hard in a long time.

So we got @gregkh on the show to explain Linux Kernel security, both proactive and reactive, and why they sort of can't treat security bugs special (TL;DR: Linux is on everything, so a prenotification list to tell people secretly doesn't work when you tell thousands of people... and that's one of the easier problems), the whole #CVE thing and more on the #osspodcast with @joshbressers and @kurtseifried https://opensourcesecurity.io/2024/02/25/episode-417-linux-kernel-security-with-greg-k-h/ TL;DR: just run an up to date stable Kernel, the era of trying to cherry-pick and backport security fixes is coming to an end.

Did a quick *rough* check:

* 65 #Linux #kernel CVE announcements from Greg so far

* 55 of those refer to a mainline commit

* 10 of those were marked for backporting to stable/longterm

And that's why Greg backports a lot of #LinuxKernel mainline commits to stable/longterm that are *not* tagged for backporting -- and why "only backport changes mainline developers[1] tagged for backporting" is a bad idea.

[1] reminder, such tagging is optional, as participation in stable/longterm is optional

The #Linux kernel developers are now issuing their own, more accurate Common Vulnerabilities and Exposures #security bulletins. https://opensourcewatch.beehiiv.com/p/linux-gets-cve-security-business by @sjvn

The Linux kernel developers are now in charge of its Common Vulnerabilities and Exposures (CVE) security problems.

Computer folks, remember the precedence of operators! Consult this handy list if in doubt:

() [] -> .
! ~ ++ --
* / %
+ -
<< >>
< <= > >=
== != &=
=== &&& |||
?: ??= ( ^..^)ﾉ
(╯°□°)╯︵ ┻━┻

Last time I did a Linux kernel security flaw lifetime analysis was back in 2021. It showed the average time between flaw introduction and fix was 5.5 years for 108 "high priority" CVEs:
https://outflux.net/slides/2021/lss/kspp.pdf

I refreshed my dataset today and was surprised to see that now with 103 more CVEs, it's still holding at 5.5 years. This actually means Linux is getting faster at finding issues, but the (diminishing) technical debt of the past is still dragging down the average.

[$] A turning point for CVE numbers https://lwn.net/Articles/961978/ #LWN

Linux is now a CNA: http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/

This has taken a long time, I'd like to thank all the groups that helped, and especially the CVE group themselves. Our application was a bit different than other groups, but they understood that this is important for security overall.

Slide from a college lecture about Linux this year. While it's not exactly wrong, I don't think it is all that complete, and accidentally humorous. I feel for the kids...

I would like to clarify my earlier comment: I'm not saying LF is not supportive of my work -- in fact, I've always been encouraged to do whatever is necessary to make the Linux development community happy and productive, and there has always been solid backing for it from LF management and fellow IT team members.

However, I do have to manage multiple priorities and my #1 priority remains supporting the LF IT backend infrastructure for kernel.org (plus a few other similarly aligned projects), in addition to managing a small team of fellow IT pros. If I have to choose between working on tooling and working on something that requires attention from the infra side of things, the infra work is always prioritized for practical/operational/security reasons.

So, when I say that "my request hasn't been approved yet" I don't mean it in the sense that someone is telling me not to work on b4 or bugbot -- it just means that we haven't properly reallocated resources to allow me to prioritize tooling work -- yet. To properly request these resources, I need to present a clear vision of what we are trying to accomplish, why it makes sense to work on that (as opposed to, say, just moving things over to some large commercial forge and telling everyone to switch to that), and how this effort helps Linux development in the overall scheme of things. I'm sure we'll get there soon, I'm just explaining why we're not there yet (and hence why some cool stuff I've talked about hasn't made it to b4). :)

Some weekend stable kernel updates https://lwn.net/Articles/958860/ #LWN