Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process

From: Jiri Kosina
Date: Thu Feb 15 2024 - 12:38:14 EST


On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote:

> The Linux kernel project now has the ability to assign CVEs to fixed
> issues, so document the process and how individual developers can get a
> CVE if one is not automatically assigned for their fixes.

There is still one thing that's not clear to me with this new process, and
that's how embargos are going to be handled.

Currently, the process is broken as well, but at least understood by
everybody.

- issues are reported to security@xxxxxxxxxx. No CVE assigned, 7days
embargo, then fix gets pushed out

- at some point (in parallel, before, or after the above), the issue gets
reported to linux-distros@. CVE gets assigned, and downstreams start
integrating the fix (once available) to their codebase.

- embargo is lifted, fixes are released with proper CVE reference

How is the new process going to look like? Please keep in mind that
linux-stable is (by far!) *not* the only downstream of Linux Kernel
project.

We've had this discussion in other contexts already, but I whole-heartedly
believe that it's in no way in the Linux Kernel project's interest to kill
those other downstreams (read: Linux distros) (*) ... or is it?

(*) just looking at how much those not-basing-on-stable distros are
contributing to mainline

Thanks,

--
Jiri Kosina
SUSE Labs