On Wed, 14 Feb 2024, Mark Brown wrote: > Not addressing your point in general but the speaker volume limiting is > security relevant, that change prevents physical damage to the system. > There's an argument for many headphone volume related fixes too since > excessively large volumes can cause substantial distress and potential > injury to users (I can't remember if that fix would be relevant to that > issue). Thanks, I guess you are actually supporting my point, and that is -- there is no consensus whatsoever of what assigning a CVE actually means, at all. To me -- physical damage to the system, fair enough, that might really easily be security relevant. Something being too loud, causing distress ... that's really a grey zone (to put it mildly) for me. How about e.g. a bug in GPU driver, leading to a flickering screen? Many people are very sensitive to that (both physically and mentally) for various reasons. Bug worth fixing? Absolutely, as soon as possible. Security-relevant? Not in my book. To me, kernel is in no way special, in this respect, actually. With each and every coding error in software of your choice, given anough fantasy, you'll come up with a scenario where this will cause some real issues to some living human. That's not what CVE is about at all, at least in my understaing. -- Jiri Kosina SUSE Labs
