Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Sep 2017 10:14:04 +0100
From: Muhammed Mustapha Abiola <1@...tapha.org>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel CVEs not mentioned on oss-security

Isn't this exactly what Vendor-Sec tried to solve?

On Tue, Sep 26, 2017 at 4:04 PM, Greg KH <greg@...ah.com> wrote:

> On Tue, Sep 26, 2017 at 04:50:10PM +0200, Agostino Sarubbo wrote:
> > On martedÄ› 26 settembre 2017 09:32:14 CEST Greg KH wrote:
> > > > I guess this would be benefit for all.
> > >
> > > Define "all"
> >
> > You know, for example in Gentoo we are following the upstream releases.
> So
> > from time to time we stabilize a newer kernel that "syncs" with upstream.
> > This does not happen for non-rolling (release) distros that may want to
> patch/
> > backport the security fix.
>
> I understand the issue well, I talk to companies all the time about this :)
>
> The rule for the kernel is, "if a distro/company/user is not following
> the stable kernel updates, they are on their own".  I recommend either
> using the stable kernels, or paying for a company that knows what they
> are doing in this area and provides support (Red Hat, SuSE, etc.)
>
> And if you try to argue "just tell us what needs to be fixed", well, we
> are, am, we are providing about 10-12 patches a day that people should
> be incorporating into their kernels.  Why they ignore that curated and
> tested stream of fixes is beyond me...
>
> Anyway, this is getting a bit off-topic here, sorry for the noise.
>
> Best of luck,
>
> greg k-h
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ