oss-sec mailing list archives
Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros
From: Greg KH <greg () kroah com>
Date: Sun, 5 Oct 2025 08:23:21 +0200
On Sat, Oct 04, 2025 at 09:23:57PM -0700, nightmare.yeah27 () aceecat org wrote:
On Sat, Oct 04, 2025 at 07:45:08AM +0200, Greg KH wrote:The idea is that if triaging 13 bugs a day is unsustainable,What do you mean by this? I never stated it was unsustainable, in fact it's just fine from our side. What is the problem you are wanting others to help in solving with here exactly?I can guess Attila's meaning as an outsider. It seems strange to me that as one so deeply engaged in these issues you (Greg) cannot do that. The meaning is: it *would* be unsustainable *if* you actually started triaging. You don't triage now, because "a bug is a bug".
I don't understand this, sorry. Right now, we _do_ triage all bugfixes that are added to the Linux kernel and classify them if they meet the requirement of a "vulnerability" as required by cve.org or not. Any that do, we assign a CVE to. Any that do not, we do not. There are 3 of us doing this work, in our public git repo, plus we have 2 "guest" reviewers also helping out at times, so everyone can see what is happening before we assign CVEs. We don't always agree on things, but that's why there are 3 of us doing the work so we can vote, and of course, _anyone_ else can always ask for other CVEs to be assigned, or ask that existing ones be rejected based on their reviews. That is the work we do to "triage" on a weekly basis. Again, not all bugfixes that go into the Linux kernel meet the cve.org definition of "vulnerability", and so, we do not mark all Linux bugfixes with a CVE. If we were to do that, the rate of CVEs would be much higher than the current average of 13 per day (which if you look at applicability of those CVEs to your system, is on average, or a bit below, the other two major operating systems out there, so Linux is not an outlier at all.) Hope this helps explain things a bit better. I think this means I need to write up even more documentation as to exactly how we do all of this work as this information isn't more widely known. thanks, greg k-h
Current thread:
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 02)
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
- Message not available
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 03)
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
- Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 04)
- Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 04)
- Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 05)
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 02)
- Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 02)