oss-sec mailing list archives

Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros


From: Greg KH <greg () kroah com>
Date: Sun, 5 Oct 2025 08:23:21 +0200

On Sat, Oct 04, 2025 at 09:23:57PM -0700, nightmare.yeah27 () aceecat org wrote:
On Sat, Oct 04, 2025 at 07:45:08AM +0200, Greg KH wrote:

The idea is that if triaging 13 bugs a day is unsustainable,

What do you mean by this?  I never stated it was unsustainable, in
fact it's just fine from our side.  What is the problem you are
wanting others to help in solving with here exactly?

I can guess Attila's meaning as an outsider. It seems strange to me
that as one so deeply engaged in these issues you (Greg) cannot do
that.

The meaning is: it *would* be unsustainable *if* you actually started
triaging.  You don't triage now, because "a bug is a bug".

I don't understand this, sorry.  Right now, we _do_ triage all bugfixes
that are added to the Linux kernel and classify them if they meet the
requirement of a "vulnerability" as required by cve.org or not.  Any
that do, we assign a CVE to.  Any that do not, we do not.  There are 3
of us doing this work, in our public git repo, plus we have 2 "guest"
reviewers also helping out at times, so everyone can see what is
happening before we assign CVEs.  We don't always agree on things, but
that's why there are 3 of us doing the work so we can vote, and of
course, _anyone_ else can always ask for other CVEs to be assigned, or
ask that existing ones be rejected based on their reviews.

That is the work we do to "triage" on a weekly basis.

Again, not all bugfixes that go into the Linux kernel meet the cve.org
definition of "vulnerability", and so, we do not mark all Linux bugfixes
with a CVE.  If we were to do that, the rate of CVEs would be much
higher than the current average of 13 per day (which if you look at
applicability of those CVEs to your system, is on average, or a bit
below, the other two major operating systems out there, so Linux is not
an outlier at all.)

Hope this helps explain things a bit better.  I think this means I need
to write up even more documentation as to exactly how we do all of this
work as this information isn't more widely known.

thanks,

greg k-h


Current thread: