Pavel Machek
Posts
1306Following
85Followers
126
Pavel Machek
pavel
0
0
2
Pavel Machek
pavel
@fenruspdx @kernellogger @vegard @gregkh @ljs It would be a service if it was done in good faith. It is not, as clearly stated by Greg. SUSE (and others) now have to explain to their customers that they are not fixing 300 CVEs because they are not real CVEs but spam.
0
0
1
Pavel Machek
pavel
Very nice summary of Boeing situation. https://www.youtube.com/watch?v=Q8oCilY4szc And surprisingly accurate given it is comedy show.
0
0
2
Pavel Machek
pavel
@MWelchUK @vegard @kernellogger @gregkh People are paying for secure enterprise distribution. And if people doing security have to deal with spammer "trying to burn them down", the result will be less secure.
1
0
1
@gregkh @vegard @kernellogger @larsmb @ljs Yep, cow milking machines are clearly reason Greg is allowed to spam CVE database with nonsense copy/pasted from changelogs. Not. There are people who know what "security impact" is, and are acting in good faith, Greg is just not one of them. He complains about "CVE system abuse" then abuses that system 10x more.
0
0
2
Pavel Machek
pavel
0
0
1
Pavel Machek
pavel
@cas @tuxdevices #cutiepi is cool, and I'm currently trying to play with it. But... its RPi inside, and that's not nearly as well supported as I'd hope it would be. I tried quite hard, and either internal display works or HDMI out, but never both... for example.
0
0
3
Pavel Machek
pavel
@martijnbraam Ouch. Power is hard :-(, and IIRC they used industrial chip, not phone chip. I guess it is still way better than PinePhone? Is camera still broken, as described in https://wiki.postmarketos.org/wiki/Fairphone_5_(fairphone-fp5) ?
1
0
0
Pavel Machek
pavel
@vegard @ljs @kernellogger @larsmb @gregkh It clearly is additional work, true. But the goal is security, and nonsensical CVEs do not help with that. https://nvd.nist.gov/vuln/detail/CVE-2023-52472 . What percentage of spam CVEs do you believe describe real security problem?
0
0
2
@gregkh @larsmb @kernellogger @vegard What "abuse" are you talking about? There was small amount of questionable CVEs. Now there's huge amount of... commit metadata pasted into CVEs. That's even lower quality than before, and as a bonus there's order of magnitude more of them. It should be pretty plain to see why people view that as an attack. Example: https://nvd.nist.gov/vuln/detail/CVE-2023-52472 . Does the description make sense to you?
0
0
2
Pavel Machek
pavel
@larsmb @kernellogger @vegard @gregkh If there's some good writeup (you, your company, someone else), it would be useful to me. I seen this so far: https://amanitasecurity.com/posts/dear-linux-kernel-cna-what-have-you-done/ .
0
0
3
Pavel Machek
pavel
@larsmb @vegard @kernellogger @gregkh If there was an SUSE statement explaining "intentional attack on the CVE system is not cool", I could use it :-).
1
0
1
Pavel Machek
pavel
@vegard @kernellogger @larsmb @gregkh Dealing with spammer should not be part of distro's work. And no, "false positives are better" is not true in this case.
1
2
3
Pavel Machek
pavel
@larsmb @kernellogger I don't belive @gregkh is acting in good faith here :-(. https://lwn.net/Articles/961978/ makes it quite clear. How can we stop him?
1
1
3
Pavel Machek
pavel
0
0
0
Pavel Machek
pavel
@sailfishosnews So I welcome competition in phone space, and SailfishOS is indeed part of that. But as the dominant distribution is Android, I'd really prefer options that are at least as free as that.
0
0
0