On Tue 2024-10-08 13:24:05, Greg Kroah-Hartman wrote: > On Tue, Oct 08, 2024 at 01:16:28PM +0200, Pavel Machek wrote: > > On Wed 2024-10-02 09:26:46, Jens Axboe wrote: > > > On 10/2/24 9:05 AM, Vegard Nossum wrote: > > > > Christophe JAILLET (1): > > > > null_blk: Remove usage of the deprecated ida_simple_xx() API > > > > > > > > Yu Kuai (1): > > > > null_blk: fix null-ptr-dereference while configuring 'power' and > > > > 'submit_queues' > > > > > > I don't see how either of these are CVEs? Obviously not a problem to > > > backport either of them to stable, but I wonder what the reasoning for > > > that is. IOW, feels like those CVEs are bogus, which I guess is hardly > > > surprising :-) > > > > "CVE" has become meaningless for kernel. Greg simply assigns CVE to > > anything that remotely resembles a bug. > > Stop spreading nonsense. We are following the cve.org rules with > regards to assigning vulnerabilities to their definition. Stop attacking me. > And yes, many bugs at this level (turns out about 25% of all stable > commits) match that definition, which is fine. If you have a problem > with this, please take it up with cve.org and their rules, but don't go > making stuff up please. You are assigning CVE for any bug. No, it is not fine, and while CVE rules may permit you to do that, it is unhelpful, because the CVE feed became useless. (And yes, some people are trying to mitigate damage you are doing by disputing worst offenders, and process shows that quite often CVEs get assigned when they should not have been.) And yes, I have problem with that. Just because you are not breaking cve.org rules does not mean you are doing good thing. (And yes, probably cve.org rules should be fixed.) Pavel -- DENX Software Engineering GmbH, Managing Director: Erika Unter HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: PGP signature
