Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros

[Attila Szasz <szasza.contact () gmail com>]

*Hi Greg,*

I am writing to formally invite you to a public debate at next year’s 
FOSDEM.

Our past discussions surrounding the HFS+ vulnerability—and the 
subsequent "lamest vendor response" award the Linux CNA received at 
DEFCON—highlighted a significant disconnect in how we approach security, 
disclosure, and community roles. My goal is not to re-litigate a past 
issue, but to bring transparency to crucial questions that many in our 
community are asking about the future.

I propose a moderated discussion in the Linux kernel devroom to explore 
these topics. The idea is to foster a constructive dialogue, not a 
confrontation. The key questions to address would be:

 *

   *The Linux CNA's Role:* What is its responsibility in global product
   security, and is its current approach effective?

 *

   *Vulnerability Triage:* Is the "all bugs are just bugs" philosophy
   sustainable, or do certain flaws require a higher class of treatment?

 *

   *The Future of Linux Security:* What are the long-term consequences
   of our strategic choices regarding security investment and process?

 *

   *The Next Generation:* How does the kernel project integrate the
   perspectives of independent, nonconformist, and younger developers?

 *

   *Regulatory Readiness:* How can the kernel community best prepare
   for the impact of legislation like the EU’s Cyber Resilience Act (CRA)?

I believe FOSDEM's open, community-driven, and unfiltered nature makes 
it the ideal venue. A frank conversation between us would bring immense 
value and clarity to these complex challenges for the benefit of the 
entire ecosystem.

Would you be willing to participate?

*Best regards,*

*Attila*


On 10/2/25 16:34, Greg KH wrote:
> On Thu, Oct 02, 2025 at 03:11:17PM +0200, Attila Szasz wrote:
> > For the sake of product security folks who rely on consistency: the Linux
> > CNA recently registered a batch of HFS/HFS+ CVEs that require manipulating
> > malformed filesystems as a first step. This seems inconsistent with how
> > similar cases were previously handled.
> If you feel the Linux CNA has issued CVEs in an inconsistent way, please
> contact them and the people there will be glad to research the issue and
> get back to you.  They are issuing, on average, 13 CVEs a day, and so
> stuff like this easily gets lost in the firehose.
>
> The Linux CNA is also currently "backfilling" many old CVE entries that
> previously came from the GSD database, and perhaps the issues you are
> referring to came from there.  If so, again, please contact them and
> they will be glad to discuss it.
>
> thanks,
>
> greg k-h