On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> +No CVEs will be assigned for unfixed security issues in the Linux
> +kernel, assignment will only happen after a fix is available as it can
> +be properly tracked that way by the git commit id of the original fix.

This seems at odds with the literal definition of what CVEs are:
_vulnerability_ enumeration. This is used especially during the
coordination of fixes; how is this meant to interact with embargoed
vulnerability fixing?

Outside of that, I welcome the fire-hose of coming identifiers! I think
this will more accurately represent the number of fixes landing in
stable trees and how important it is for end users to stay current on
a stable kernel.

Reviewed-by: Kees Cook <keesc...@chromium.org>

Kees Cook

Reply via email to