Stop blaming the reporter. Start asking kernel to fix their process. Linux kernel is no longer a toy project, it has full time employees employed by various companies. They should have handled notifying distributions. Not some rando.
Stop blaming the reporter. Start asking kernel to fix their process. Linux kernel is no longer a toy project, it has full time employees employed by various companies. They should have handled notifying distributions. Not some rando.
Look, if they namedrop specific distros in their announcement (marketing) blog post as affected, I think a heads-up before publishing that is appropriate and expected.
I don't think they would have gotten as much flame if it weren't for how the RHEL 14 mention and such were put.
This is a security company with a professional(?) communications department banking on pointing fingers at distro maintainers. We are not talking about solo security researchers or academics here.
Exactly. Any security person absolutely KNOWS that the distros are still going to be vulnerable. They're exploiting this process loophole to knowingly cause chaos and gain notoriety.
At this point this is not really white-hat/ethical hacking anymore.
Ofc the kernel-distro security loophole is stupid and should be patched ASAP, but that doesn't absolve this company of wrongdoing.
We all know that's what it is, I don't know why people aren't willing to just say it.
It has a domain, it has a logo, they were going for maximum impact because it's their business.
Linus should take his trademark autistic rage where he calls other peoples code "dogshit" onto his own work for once. He likes the glory of leading the kernel development but not the responsibilitys like this.
No, I will. The distros and the kernel devs should be talking and moving on high sev patches, sure. But real people will have gotten hurt because the reporter didn't want to wait for that to happen. That's on them.
you must be unfamiliar what used to happen before hard deadlines were set on disclosure. it was much worse for the users.
here is a good start: https://projectzero.google/vulnerability-disclosure-faq.html...
there is ~3 decades of more context if you search for it.
tldr: if security issues don’t get disclosed (or the real threat of disclosure) they won’t get fixed / prioritized.
It's one thing to report a vulnerability, another entirely to make a crazy exploit available for any tom, dick, and harry to take and use. It was irresponsible of whoever came up with it to release it in the world without first giving major distros a head's up.
A proof of concept is a very standard thing to include in a disclosure, almost table stakes nowadays because of the amount of bad reports. Once there's any disclosure there will be exploits developed and published anyway, it's not a meaningful difference.
Bashing on the reporter is pointless feel-good. This is a massive vuln. It was 4 weeks after Kernel had a patch. They had no way to know if others parties had also discovered the vuln. Lord Knows how many millions of systems could already have been rooted. The reporter is not their minion.
If I call 911 to report a fire at an oil storage facility - and they ask me to alert the hospital, then phone the neighboring county's Sheriff Dept., and then...yeah. Either I'm way out in the sticks (and known to/trusted by the 911 operator), or else the 911 service is run by children.
Great metaphor.
I'd hate to be involved in any emergency services. Too many people have opinions on how things should have been done.