Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2025100406-grew-evaluator-a961@gregkh>
Date: Sat, 4 Oct 2025 07:45:08 +0200
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Re: Linux kernel: HFS+ filesystem
 implementation, issues, exposure in distros

On Sat, Oct 04, 2025 at 04:35:40AM +0200, Attila Szasz wrote:
> I know the workload is immense, but from my perspective as a security
> researcher, here’s what I propose:
> 
>  *
>    I can reach out to academic contacts at universities I’ve
>    collaborated with.
> 
>  *
>    Bring some of these researchers and students on board to engage with
>    the project.
> 
>  *
>    Explore securing funding for this effort, whether through the EU
>    Commission or other channels.
> 
> The idea is that if triaging 13 bugs a day is unsustainable,

What do you mean by this?  I never stated it was unsustainable, in fact
it's just fine from our side.  What is the problem you are wanting
others to help in solving with here exactly?

> we could
> delegate this to motivated students and early-career researchers who would
> gladly take on the work—verifying KASAN reproducers, running test cases, and
> handling other essential but lower-level tasks. While not senior
> engineering, it is still highly valuable work and could also serve as
> meaningful experience for them, particularly if supported by proper funding.

We never turn down help, so sure, work away.  But I'm very unclear as to
exactly what you are going to be wanting to work on.

> Of course, the authority of the Linux CNA would remain unchanged—you would
> retain the final say and could overrule any decisions if necessary.

Decision about what exactly?

> I believe this approach would help address many of the criticisms raised by
> myself, Canonical, Google, and others, while easing the security workload
> without introducing new or restrictive measures into the Linux developer
> community.

What specific criticisms are you having here?  What what ones does
Canonical have?  I talk to Google a lot, and so do other members of the
kernel CNA team, and we haven't heard anything specific in quite some
time.  Last I heard from them was that they wanted a feed from CVE->OSV
for our json records which I stated would actually reduce the
information that the record had (i.e. you loose what files are affected
by a CVE), but sure, if they wanted that, we'll gladly take patches to
our tools to provide that feed directly.

> What do you think?

I still do not understand what specifically you are asking for anyone to
do here, nor what the criticism specifically is.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.