On Thu, Feb 15, 2024 at 06:38:05PM +0100, Jiri Kosina wrote: > On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote: > > > The Linux kernel project now has the ability to assign CVEs to fixed > > issues, so document the process and how individual developers can get a > > CVE if one is not automatically assigned for their fixes. > > There is still one thing that's not clear to me with this new process, and > that's how embargos are going to be handled. > > Currently, the process is broken as well, but at least understood by > everybody. > > - issues are reported to security@xxxxxxxxxx. No CVE assigned, 7days > embargo, then fix gets pushed out > > - at some point (in parallel, before, or after the above), the issue gets > reported to linux-distros@. CVE gets assigned, and downstreams start > integrating the fix (once available) to their codebase. linux-distros is not allowed to assign a CVE id for a Linux kernel fix, so this will not happen here anymore. They HAVE to contact cve@xxxxxxxxxx in order to do this as no one else is allowed to create a CVE entry for Linux unless some very extreem things happen that I do not plan on ever having happen to us (see the CNA rules for details.) > - embargo is lifted, fixes are released with proper CVE reference > > How is the new process going to look like? Please keep in mind that > linux-stable is (by far!) *not* the only downstream of Linux Kernel > project. I agree, and again, linux-distros will not be assigning CVEs for issues that affect the currently supported kernels as listed on kernel.org, nor will any other group, so this shouldn't be an issue as we can coordinate properly if the above senario happens. > We've had this discussion in other contexts already, but I whole-heartedly > believe that it's in no way in the Linux Kernel project's interest to kill > those other downstreams (read: Linux distros) (*) ... or is it? I have no interest in doing anything about linux-distros, just that they are not allowed to assign a new CVE for Linux anymore as of Tuesday this week, and neither is any other CNA, just like they are not allowed to assign a CVE for Windows today, no difference at all. thanks, greg k-h