From: Michal Hocko <mhocko@suse.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
linux-cve-announce@vger.kernel.org
Subject: Re: CVE-2024-35906: drm/amd/display: Send DTBCLK disable message on first commit
Date: Tue, 21 May 2024 19:56:54 +0200 [thread overview]
Message-ID: <ZkzgZoxF_RD50PdW@tiehlicka> (raw)
In-Reply-To: <2024052110-grasp-liking-22c0@gregkh>
On Tue 21-05-24 19:03:58, Greg KH wrote:
> On Tue, May 21, 2024 at 06:51:28PM +0200, Michal Hocko wrote:
[...]
> And really, in the end, if you have a "CVE and fix for CVE" in the same
> release, applying both doesn't hurt anyone, so this is a "fail secure"
> mode for everyone, right?
Look Greg, we have been through this discussion at several occasions and
I do not want to repeat that again. Stable tree users probably do not
care because they are getting all these patches, including regressions
and patches they do not need or even want, anyway. They are getting what
they are _paying_ for. Marking them CVE doesn't make any difference. But
stable tree backporting model is simply not a good fit for _many_ users.
Now, for $reasons, people _do_ care about CVEs and that is why there is
an engineering cost on downstreams to review them. Exactly because
applying all of them blindly is a _risk_. Exactly because the stable
backporting model/policy and CVE assigning policy is simply incompatible
with the stability/correctness/performance/$other requirements.
I completely do get why you do not care about that downstream
engineering cost but generating bogus CVEs on top of a huge pile of
dubious ones is less than useful, don't you think?
Seriously, we can disagree whether something is a security threat that
is worth marking by a CVE. But making the CVE generation process mostly
unattended script driven process without any _serious_ review in place
is burning a lot of man power that could be used in a much more
productive way. This is not the way how to convince people to use stable
kernels.
Bye
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2024-05-21 17:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024051954-CVE-2024-35906-1c6f@gregkh>
2024-05-21 8:28 ` CVE-2024-35906: drm/amd/display: Send DTBCLK disable message on first commit Michal Hocko
2024-05-21 14:39 ` Greg Kroah-Hartman
2024-05-21 16:51 ` Michal Hocko
2024-05-21 17:03 ` Greg Kroah-Hartman
2024-05-21 17:56 ` Michal Hocko [this message]
2024-05-22 3:57 ` Greg Kroah-Hartman
2024-05-23 8:26 ` Michal Hocko
2024-05-23 13:49 ` Greg Kroah-Hartman
2024-05-24 10:10 ` Michal Hocko
2024-05-24 11:47 ` Greg Kroah-Hartman
2024-05-24 14:02 ` Michal Hocko
2024-05-24 15:22 ` Greg Kroah-Hartman
2024-05-24 15:59 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZkzgZoxF_RD50PdW@tiehlicka \
--to=mhocko@suse.com \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox