{"comments":[{"comment":{"id":8692436,"creator_id":24528,"post_id":8935238,"content":"Short version: A bunch of shitty companies have as business model to sell open databases to companies to track security vulnerabilities - at pretty much zero effort to themselves. So they've been bugging the kernel folks to start issuing CVEs and do impact analysis so they have more to sell - and the kernel folks just went \"it is the kernel, everything is critical\"\n\ntl;dr: this is pretty much an elaborate \"go fuck yourself\" towards shady 'security' companies.","removed":false,"published":"2024-05-17T17:34:56.819283Z","deleted":false,"ap_id":"https://kyu.de/comment/4731081","local":false,"path":"0.8692436","distinguished":false,"language_id":0},"creator":{"id":24528,"name":"aard","display_name":"aard","avatar":"https://kyu.de/pictrs/image/aefdbba8-1697-4a52-8c4f-e0c2c624b576.png","banned":false,"published":"2023-06-09T21:33:34.027283Z","actor_id":"https://kyu.de/u/aard","local":false,"banner":"https://kyu.de/pictrs/image/470d79ec-9125-4d89-9c39-2d2263492b2d.png","deleted":false,"matrix_user_id":"@bernd:wachter.fi","bot_account":false,"instance_id":572},"post":{"id":8935238,"name":"The Linux kernel is a CNA - so what?","url":"https://www.codethink.co.uk/articles/2024/cve-blog/","creator_id":3291,"community_id":20,"removed":false,"locked":false,"published":"2024-05-17T16:45:09.769427Z","deleted":false,"nsfw":false,"embed_title":"The Linux kernel is a CNA - so what?","embed_description":"

This is big news. It may not seem like it at first glance, but the impact could be huge.

","thumbnail_url":"https://lemmy.ml/pictrs/image/29056606-fcb2-4d17-8a80-aa226d0e3a97.png","ap_id":"https://lemmy.ml/post/15749828","local":false,"language_id":37,"featured_community":false,"featured_local":false},"community":{"id":20,"name":"linux","title":"Linux","description":"From Wikipedia, the free encyclopedia\n\nLinux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n\nDistributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word \"Linux\" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n\n\n### Rules\n* Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n* No misinformation\n* No NSFW content\n* No hate speech, bigotry, etc \n\n### Related Communities\n* [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n* [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture) \n* [!technology@lemmy.ml](https://lemmy.ml/c/technology) \n* [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware) \n\nCommunity icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)","removed":false,"published":"2019-06-01T15:07:36.179766Z","updated":"2022-06-18T17:36:20.924834Z","deleted":false,"nsfw":false,"actor_id":"https://lemmy.ml/c/linux","local":false,"icon":"https://lemmy.ml/pictrs/image/q98XK4sKtw.png","hidden":false,"posting_restricted_to_mods":false,"instance_id":16,"visibility":"Public"},"counts":{"comment_id":8692436,"score":82,"upvotes":82,"downvotes":0,"published":"2024-05-17T17:34:56.819283Z","child_count":3},"creator_banned_from_community":false,"banned_from_community":false,"creator_is_moderator":false,"creator_is_admin":false,"subscribed":"NotSubscribed","saved":false,"creator_blocked":false},{"comment":{"id":8692182,"creator_id":2325,"post_id":8935238,"content":">## What’s happened?\n>\n>The Linux kernel project has become its own [CVE Numbering Authority](https://lwn.net/Articles/961961/) (CNA) with two very notable features:\n>\n>* CVE identifiers will only be assigned *after* a fix is already available and in a release; and\n>* the project will err on the side of caution, and assign CVEs to *all fixes*.\n>\n>This means each new kernel release will contain *a lot* of CVE fixes. \n>\n>## So what?\n>\n>This could contribute to a significant change in behaviour for commercial software vendors.\n>\n>The kernel project has long advocated updating to the latest stable release in order to benefit from fixes, including security patches. They’re not the only ones: Google has [analysed](https://security.googleblog.com/2021/08/linux-kernel-security-done-right.html) this topic and Codethink talks extensively about creating software with [Long Term Maintainability](https://www.codethink.co.uk/articles/2023/ltm-2023/) baked in.\n>\n>But alas, a general shift to this mentality appears to allude us: the prevalent attitude amongst the majority of commercial software products is still very much **“ship and forget”**.\n>\n>Consider the typical pattern: SoC vendors base their BSP on an old and stable Linux distribution. Bespoke development occurs on top of this, and some time later, a product is released to market. By this point, the Linux version is out of date, quite likely unsupported and almost certainly vulnerable from a security perspective.\n>\n>Now, fair enough, upgrading your kernel is non-trivial: it needs to be carefully thought through, requires extensive testing, and often careful planning to ensure collaboration between different parties, especially if you have dependencies on vendor blobs or other proprietary components. Clearly, this kind of thing needs to be thought about from day one of a new project. Sadly, in practice, in a lot of cases, **upgrading simply isn’t even planned for**.\n>\n>## And now?\n>\n>With the Linux kernel project becoming a CNA, we’ll now have a situation where every new kernel release highlights the scale of how far behind mainline these products are, and by implication how exposed to security vulnerabilities the software is. \n>\n>The result should be increased pressure on vendors to upgrade.\n>\n>With this, plus the recent surge in regulations around keeping software up to date (see the [CRA](https://www.european-cyber-resilience-act.com/), UNECE [R155](https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security) and [R156](https://unece.org/transport/documents/2021/03/standards/un-regulation-no-156-software-update-and-software-update)), we may start to see a genuine movement towards software being designed to be properly maintained and updated, ie, \"ship and remember\" or **Long Term Maintainability**. Let's hope so.\n>\n>## What else?\n>\n>Well, the Linux kernel is just one project. There are countless other FOSS projects which are depended on by almost all commercial projects, and they may also be interested in becoming their own CNA. \n>\n>This would further increase the visibility of the problem, and apply a renewed focus on the criticality of releasing software products with plans to upgrade built in from the start.\n>\n>If you would like to learn more about CNAs or Codethink’s Long Term Maintainability approach, reach out via .","removed":false,"published":"2024-05-17T17:20:32.862428Z","updated":"2024-05-17T17:25:34.336545Z","deleted":false,"ap_id":"https://infosec.pub/comment/9301643","local":false,"path":"0.8692182","distinguished":false,"language_id":0},"creator":{"id":2325,"name":"TheFool","display_name":"TheFool","avatar":"https://infosec.pub/pictrs/image/15bd036d-04f0-4626-a013-a9fe78064dec.png","banned":false,"published":"2023-06-13T07:35:07.671349Z","actor_id":"https://infosec.pub/u/TheFool","local":false,"banner":"https://infosec.pub/pictrs/image/dcc197fe-6078-485e-b451-2daaf977f386.png","deleted":false,"matrix_user_id":"@the.fool:matrix.org","bot_account":false,"instance_id":86},"post":{"id":8935238,"name":"The Linux kernel is a CNA - so what?","url":"https://www.codethink.co.uk/articles/2024/cve-blog/","creator_id":3291,"community_id":20,"removed":false,"locked":false,"published":"2024-05-17T16:45:09.769427Z","deleted":false,"nsfw":false,"embed_title":"The Linux kernel is a CNA - so what?","embed_description":"

This is big news. It may not seem like it at first glance, but the impact could be huge.