[Ksummit-2013-discuss] Topic Proposal: Handling Security Issues in the kernel
Dan Carpenter
dan.carpenter at oracle.com
Sat Aug 17 22:08:59 UTC 2013
On Sat, Aug 17, 2013 at 08:43:52AM -0700, Kees Cook wrote:
> On Sat, Aug 17, 2013 at 7:14 AM, Dan Carpenter <dan.carpenter at oracle.com> wrote:
> > If you find a security commit after the fact you can just report it
> > to linux-distros or stable. Why are these not working?
>
> The issue is that other consumers of the kernel (those not on
> linux-distros) don't have a central place to get a list of fixes to
> pay attention to. Not everyone just takes everything from -stable, for
> example.
Even if you're not on the linux-distros list, they should be
generating a CVE for every issue so other people can follow along.
I'm not on the list, so I don't know...
I guess I've tried to ask in several different ways how often kernel
subsystem maintainers report bugs to linux-distros. Is that process
80% working would you say?
>
> > Ubuntu already has a list of break-fix hashes. I don't like the
> > idea of having a break-fix file in the kernel.
>
> I still think having a list with break-fix, CVE, and a description of
> the potential impact would be of great service to people interested in
> that kind of thing. And when understanding of the impact changes, it
> gets updated, etc.
>
That's what the Ubuntu break-fix list is.
regards,
dan carpenter
More information about the Ksummit-2013-discuss
mailing list