Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Nov 2017 18:21:56 +0000
From: "Maier, Kurt H" <kurt.maier@...l.gov>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref
 due to a race condition in [legousbtower] driver

On Tue, 2017-11-14 at 08:37 +0100, Greg KH wrote:
> 
> But really, this isn't even a "good start", it's identifying a bug
> fixed over a year ago for a kernel that only one company seems to
> care about because they are _not_ following the recommended upstream
> stable kernel patches because they "know better" :)

First you objected to a specific bug, then it turned into "do
everything or give up," now we're back to a specific bug, and each
iteration is more unrealistic "just run whatever we release immediately
across all devices" advice.

Please, this is not productive.

And without rancor, jibes like the "know better" line are basically
just trash-talking people who actually run systems for a living and the
organizations that provide support and development for those systems. 
You're welcome to hold them in contempt but your weird persistence in
ensuring that contempt is explicitly expressed in every message you
post to the list is distracting at best, obnoxious as a baseline, and
toxic as a rule.  Consider taking it for granted that you're possessed
of wisdom unattained by the masses; we've all received this message by
now.

> That's my objection here.

Your objections are not accompanied by any advice that can be followed
by the vast majority of people responsible for linux systems.  The rest
of us are just trying to do our jobs, and the CVE process is an
important tool.  Please stop trying to make the kernel immune to CVE
reporting without any actual path forward for those of us who need this
tool. 

I want to stress that I don't see a need for kernel maintainers to
change their approach in this regard and I have no problem with the
policies as they stand.  But I am profoundly confused as to why you
feel the need to post to oss-sec essentially telling people to pack it
in and go home.  It's not going to happen unless and until we have an
even more reliable and comprehensive method of tracking vulnerabilities
in packaged kernels, regardless of the blessed nature of the
immacualate LTS.

Thanks for your time,
khm

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ