|
|
|
|
|
|
by sersi
48 days ago
|
|
|
Thanks for the reply (and thanks for the work you do)! Fair enough. And the issue is also that without some form of vetting you run the risk of disclosing the 0 day too early? About that "That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.", you mean that if you disclose selectively, then you become liable for damages? or was it a more direct conversation with legal/governmental agencies? And for a bug like this, what is the policy with backporting patches to lts branches? Since it was corrected in mainline on april 1st but only backported after the public disclosure. Do you delay backporting to minimise any attention on the security issue? I guess that having a patch for that land on all the LTS branch would signal to any would be attacker that it's a significant security issue... Sorry for all the questions but I'm genuinely interested. EDIT: Just read your blog post at http://www.kroah.com/log/blog/2026/01/02/linux-kernel-securi... which does answer a lot of my questions... |
|
|