The reporter made a website explicitly calling out Ubuntu, RedHat, Amazon, and SUSE but didn’t notify them, and you think that’s reasonable? That they might not have known those distributions are downstream from the kernel team?

▲

Legend2440 5 hours ago | parent | next [-]

If you notify the kernel and they ship a fix, it seems reasonable to expect that they will communicate the fix to the distros.

I see this as an organizational failure of the Linux ecosystem. There should be better communication between distro and kernel development.

▲

dweinus an hour ago | parent [-]

The reporter clearly knows the distro fixes have not been shipped, read their report. They chose to disclose anyway.

	▲	john_strinlai 44 minutes ago \| parent [-]
		>They chose to disclose anyway. yes, because 30 days had passed from the time the patch landed in the kernel, as per industry standard. approximately every security researcher, including the likes of google and other big names you may know, does a 90+30 disclosure, which is what happened here. they do this for good reason, which has been figured out over decades of experience in reporting thousands and thousands of vulnerabilities. the only security researchers i know of that dont like 90+30 actually argue for shorter timelines (or immediate disclosures).

▲

sigmar 4 hours ago | parent | prev [-]

What is the heuristic for who should get the heads up? Should they notify amazon but not google simply because they named amazon linux in the report? Seems to me the answer to my first question gets messy fast.