|
|
|
|
|
|
by eqvinox
841 days ago
|
|
|
> And they're going to ask how much for the recertification for each CVE fixed? I doubt that'd be cheap. FIPS has created an off-kilter perception about "recertification" because they require essentially the entire process when you change a single bit somewhere. Most certifications are not that harebrained. Also if you need "certified" Linux, you are either already spending resources on it yourself, or paying someone else to do it. This might need adjusting for this new CVE practice, but it's going to be an adjustment and not a reset. > […] can't leave them unpatched (especially with some of the new legislation) but also downtime from poor updates could be really bad. Then pay someone to test and deliver. |
|
|
That's the thing, resources aren't infinite. Linux offloading that work elsewhere will not have a net positive effect.
The path of least resistance will be taken, which is going to be proportionally less QA, if there was any to begin with.