Date: Wed, 27 Sep 2017 10:14:04 +0100 From: Muhammed Mustapha Abiola <1@...tapha.org> To: oss-security@...ts.openwall.com Subject: Re: Linux kernel CVEs not mentioned on oss-security Isn't this exactly what Vendor-Sec tried to solve? On Tue, Sep 26, 2017 at 4:04 PM, Greg KH <greg@...ah.com> wrote: > On Tue, Sep 26, 2017 at 04:50:10PM +0200, Agostino Sarubbo wrote: > > On martedě 26 settembre 2017 09:32:14 CEST Greg KH wrote: > > > > I guess this would be benefit for all. > > > > > > Define "all" > > > > You know, for example in Gentoo we are following the upstream releases. > So > > from time to time we stabilize a newer kernel that "syncs" with upstream. > > This does not happen for non-rolling (release) distros that may want to > patch/ > > backport the security fix. > > I understand the issue well, I talk to companies all the time about this :) > > The rule for the kernel is, "if a distro/company/user is not following > the stable kernel updates, they are on their own". I recommend either > using the stable kernels, or paying for a company that knows what they > are doing in this area and provides support (Red Hat, SuSE, etc.) > > And if you try to argue "just tell us what needs to be fixed", well, we > are, am, we are providing about 10-12 patches a day that people should > be incorporating into their kernels. Why they ignore that curated and > tested stream of fixes is beyond me... > > Anyway, this is getting a bit off-topic here, sorry for the noise. > > Best of luck, > > greg k-h >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ