What to do about CVE numbers

Posted Oct 5, 2019 17:24 UTC (Sat) by IanKelling (subscriber, #89418)
Parent article: What to do about CVE numbers

"The final question was about users who are stuck with vendor kernels that will not be upgraded; what are they to do?" ... "The answer is to force vendors to get their code upstream. " It can help with future devices, but not existing ones. Submit those 3 million lines of code, most requires massive changes, some will never be accepted, and at some point in this process, the phone vendor is going to suddenly update their old devices they never planned on updating? No. We all want code upstreamed, but let's get articles that make sense.

What to do about CVE numbers

Posted Oct 5, 2019 23:06 UTC (Sat) by khim (subscriber, #9252) [Link] (3 responses)

Existing ones would be locked and unmaintained. Period. Nobody could force their makers to do anything - and they very much don't want to do anything so nothing would happen.

Interest in any device for any maker goes to precisely zero once a device is sold. Even security updates and other such things are only ever done to make sure new batches of the same hardware could be sold.

What would happen to *future* device, on the other hand, could be meaningfully influenced if we are smart: people haven't paid for them yet, thus hardware makers could be convinced to do something to make that happen.

Article just comes from "what could we *actually* do" POV, not from "what could we do in the imaginary world filled with fairies and unicorns" POV.

What to do about CVE numbers

Posted Oct 7, 2019 10:54 UTC (Mon) by IanKelling (subscriber, #89418) [Link] (2 responses)

I agree the existing ones won't get updates. The article states otherwise, which is what I quoted from the article, and my complaint is that it makes no sense and I expect better from LWN.

Getting code upstream

Posted Oct 7, 2019 13:55 UTC (Mon) by corbet (editor, #1) [Link] (1 responses)

I think you've read something into the article that wasn't there. Nobody thinks that upstreaming is going to rescue all of the unsupported devices out there. Nothing is going to fix those. The objective is to stop creating such devices in the future.

Getting code upstream

Posted Oct 8, 2019 12:04 UTC (Tue) by IanKelling (subscriber, #89418) [Link]

> I think you've read something into the article that wasn't there. Nobody thinks that upstreaming is going to rescue all of the unsupported devices out there.

Corbet, good to know that wasn't intended, but it's clearly there. You wrote:

> The final question was about users who are stuck with vendor kernels that will not be upgraded; what are they to do? Kroah-Hartman responded that this is a real problem. Those vendors typically add about three-million lines of code to their kernels, so they are shipping a "Linux-like system". The answer is to force vendors to get their code upstream; to do that, customers have to push back.

So, "the answer" is very clearly a reference to "users who are stuck", present tense stuck, but your saying, of course thats not what you really meant, only preventing it for future users, but you need to sayyy that if its what you mean. Its like saying "What about the problem that there are a million or so species that will go extinct due to current carbon levels. The answer is to decrease our carbon emissions." But of course, that is not an answer to the stated problem since it won't change existing carbon levels or their effects. It's an answer to prevent the next million, but you have to say that, or else people will read what you wrote literally.