|
|
|
|
|
|
by harshreality
50 days ago
|
|
|
They can't. Linux has too high a profile. Any additional "in group" that had access to embargoed critical security information would have a much higher chance of being compromised. The solution is not to tell more people that patch xxxxxx is a critical security bugfix that needs distros to roll new kernel versions immediately. Major vendors (all the cloud providers) will have security teams that can have the bug mitigated in a few minutes once they're notified. For everyone else... Part of the solution is that distros need to stop believing that their distro kernel branches are any better than linux-stable, and use linux-stable and engage with the linux-stable list and patchsets if they're concerned about what's going into them. Part of the solution is each distro needs a process for pushing critical updates (module blacklists, ebpf patches) to address things like this without forcing all distro users to reboot, which many won't do promptly anyway. |
|
|
I do think that its the right thing to do, if the reporter is willing to come to the party, but I also understand why if they dont want to.
> Part of the solution is each distro needs a process for > pushing critical updates (module blacklists, ebpf patches) > to address things like this without forcing all distro > users to reboot, which many won't do promptly anyway.
Almost like a 'mitigation tool' that doesn't require expertise on the users end, but on the providers end.