On Tue, Feb 13, 2024 at 02:35:24PM -0800, Kees Cook wrote: > On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote: > > +No CVEs will be assigned for unfixed security issues in the Linux > > +kernel, assignment will only happen after a fix is available as it can > > +be properly tracked that way by the git commit id of the original fix. > > This seems at odds with the literal definition of what CVEs are: > _vulnerability_ enumeration. This is used especially during the > coordination of fixes; how is this meant to interact with embargoed > vulnerability fixing? Yes, this is totally wrong, it was the original first draft of the document, that I did on my workstation, and then went on the road for 3+ weeks and I never sycned up when I got home with the updated version that is on my laptop. The updated version addresses this, as it was rightly pointed out by the CVE group that this is not how a CNA is supposed to only work. Yet another reason why keeping changes private is a major pain, not only for security ones! :( Let me send out the proper one after my morning coffee has kicked in and I resolve the differences, and make the grammer fixes that Randy pointed out... > Outside of that, I welcome the fire-hose of coming identifiers! I think > this will more accurately represent the number of fixes landing in > stable trees and how important it is for end users to stay current on > a stable kernel. Agreed. > Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> Many thanks for the review! greg k-h
