On Tue, Oct 08, 2024 at 01:40:10PM +0200, Pavel Machek wrote: > On Tue 2024-10-08 13:24:31, Greg Kroah-Hartman wrote: > > On Tue, Oct 08, 2024 at 01:19:24PM +0200, Pavel Machek wrote: > > > Hi! > > > > > > > Unfortunately for distributions, there may be various customers or > > > > government agencies which expect or require all CVEs to be addressed > > > > (regardless of severity), which is why we're backporting these to stable > > > > and trying to close those gaps. > > > > > > Customers and government will need to understand that with CVEs > > > assigned the way they are, addressing all of them will be impossible > > > (or will lead to unstable kernel), unfortunately :-(. > > > > Citation needed please. > > https://opensourcesecurity.io/category/securityblog/ To be specific: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Yes, I refer to that in my talk I linked to, what they are saying here is great, so work with cve.org to fix it. We can't ignore the cve.org rules while being a CNA, sorry, that's not allowed. But that link talks nothing about an "unstable kernel" which is what I take objection to. As I always say, never cherry-pick, just take all stable releases. That is proven with much research and publications in the past years, why people don't believe in it is beyond me... good luck! greg k-h
