Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
aduwah 6 hours ago

Especially since the reporter is explicitly asked not to notify the distro teams first.

https://docs.kernel.org/process/security-bugs.html

```As such, the kernel security team strongly recommends that as a reporter of a potential security issue you DO NOT contact the “linux-distros” mailing list UNTIL a fix is accepted by the affected code’s maintainers and you have read the distros wiki page above and you fully understand the requirements that contacting “linux-distros” will impose on you and the kernel community. ```

nubinetwork 3 hours ago | parent | next [-]

I don't get why the initial reporter should have to do that legwork. The kernel maintainers should be doing that.

stonogo 5 hours ago | parent | prev [-]

The kernel team has been at odds with the CVE process and the oss-security community about this stuff for many, many years now. It's a big part of why the kernel team established a CNA and started flooding CVE notifications; they don't believe that security problems are different than non-security problems, and refuse to establish norms or policies based on the idea that they are.

throw0101a an hour ago | parent | next [-]

> […] they don't believe that security problems are different than non-security problems, and refuse to establish norms or policies based on the idea that they are.

They believe there is no difference being able to get root and not being able to get root? It seems to me that to-be(-root) and not-to-be(-root) are quite different.

IshKebab 4 hours ago | parent | prev [-]

It's such a bizarre viewpoint. I wonder when Linus will see sense.

IMO it's pretty obviously not a view that they seriously hold, it's just one of those technical justifications people come up with to avoid admitting something they don't want to admit - in this case that Linux has a poor security track record.

guiambros an hour ago | parent | next [-]

Linus? You mean, the same Linus who thinks "security people are f*cking morons", and "security bugs are just bugs"?

Linus is the reason why kernel team doesn't talk to distros. For them bugs are bugs, security related or not.

https://lkml.iu.edu/hypermail/linux/kernel/1711.2/01701.html...

staticassertion 3 hours ago | parent | prev [-]

> I wonder when Linus will see sense.

Literally never. Why would he? He's surrounded by sycophants. And we have Greg for whenever Linus isn't involved anymore, and Greg is just as boneheaded.