On Fri, 16 Feb 2024, Theodore Ts'o wrote: > My observation is that the old system has had pretty low-quality > CVE's, and worse, overly inflated CVE Severity Scores, which has > forced all people who are supporting distro and cloud serves which > sell into the US Government market to have to do very fast releases to > meet FedRAMP requirements. At least once, I protested an overly > inflated CVSS score as being completely b.s., at a particular > enterprise distro bugzilla, and my opinion as the upstream developer > was completely ignored. > > So quite frankly, at least one enteprise distro hasn't impressed me Sad to hear that, no matter which distro that was :), hoewer ... > with avoiding low quality CVE's and high CVSS scores, and so I'm quite > willing to give the new system a chance. (Especially since I've been > told that the Linux Kernel CVE team isn't planning on issuing CVSS > scores, which as far as I'm concerned, is *excellent* since my > experience is that they are quite bogus, and quite arbitrary.) ... how is this new process going to change anything in that respect? There will always be some entity assigning a CVSS score (apparently not the kernel.org/LTS group), and then odds are the situation you are describing will end up happening according exactly the same scenario, right? I am still trying really hard to understand what exactly is the problem this whole effort is magically solving for everybody out there either using Linux, or producing something around/on-top-of Linux. And I still don't get it. Thanks, -- Jiri Kosina SUSE Labs
