Date: Tue, 14 Nov 2017 18:21:56 +0000 From: "Maier, Kurt H" <kurt.maier@...l.gov> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver On Tue, 2017-11-14 at 08:37 +0100, Greg KH wrote: > > But really, this isn't even a "good start", it's identifying a bug > fixed over a year ago for a kernel that only one company seems to > care about because they are _not_ following the recommended upstream > stable kernel patches because they "know better" :) First you objected to a specific bug, then it turned into "do everything or give up," now we're back to a specific bug, and each iteration is more unrealistic "just run whatever we release immediately across all devices" advice. Please, this is not productive. And without rancor, jibes like the "know better" line are basically just trash-talking people who actually run systems for a living and the organizations that provide support and development for those systems. You're welcome to hold them in contempt but your weird persistence in ensuring that contempt is explicitly expressed in every message you post to the list is distracting at best, obnoxious as a baseline, and toxic as a rule. Consider taking it for granted that you're possessed of wisdom unattained by the masses; we've all received this message by now. > That's my objection here. Your objections are not accompanied by any advice that can be followed by the vast majority of people responsible for linux systems. The rest of us are just trying to do our jobs, and the CVE process is an important tool. Please stop trying to make the kernel immune to CVE reporting without any actual path forward for those of us who need this tool. I want to stress that I don't see a need for kernel maintainers to change their approach in this regard and I have no problem with the policies as they stand. But I am profoundly confused as to why you feel the need to post to oss-sec essentially telling people to pack it in and go home. It's not going to happen unless and until we have an even more reliable and comprehensive method of tracking vulnerabilities in packaged kernels, regardless of the blessed nature of the immacualate LTS. Thanks for your time, khm
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ