> a notification should have gone out from the kernel team to a curated list of distro security folk
Who would curate that list though? You don't need permission from the kernel team to spin up a new distro. I can go and create fork of Debian or Arch or whatever today and the kernel team would never know (and neither should they).
This is completely in the responsibility of the distros. If you don't like this model, use something like FreeBSD.
Sounds like a job for the Linux Foundation maybe?
You don't need anyone's permission to make a distro, that's true, but if you notify Debian, Canonical, Fedora, Red Hat and Arch you're covering a very large fraction of users; way more than today's 0%. In cases like this, perfect is the enemy of the good.
The Linux Foundation hasn't been about Linux (except marginally) in a long while, if ever.
The name is a misnomer.
A rogue actor may create a new distro, maybe for some niche use case such as accessibility or retro gaming. After acquiring enough false (and even some real) users that the Linux Foundation accepts them as a notifiable distro maintainer, this maintainer could then pwn machines before the exploit is made public.
I didn't say all distros should be notified, for that exact reason. I listed a handful of major fistros.
Who gets to decide who the lucky few are?
Sounds like a job for the Linux Foundation maybe?
Human beings
Qualified by what?
Are you implying it requires expertise to figure out the ten (plus or minus a factor of two) biggest distros? I think most people that understand the context of the question can figure out pretty similar lists.
Rather than the current situation, where they can pwn machines after the exploit is made public?
Yes. After the exploit is made public, the window of opportunity closes quickly.
Not if people don't get notified!
Uh, there is a list, named "linux-distros", which is for this purpose (and I think it's for more than just Linux, e.g. I believe it was used for the xz vuln).
Given this was announced when backports weren't ready (and given the POC was at least opaque if not obfuscated), I'm getting the vibe fixing the vuln wasn't as high as a priority as making a media splash.
From TFA:
> Note that for Linux kernel vulnerabilities, unless the reporter chooses > to bring it to the linux-distros ML, there is no heads-up to > distributions.
so, no, `linux-distros` list don't solve the problem.
The impacted user count of your debian fork with custom compiled kernel would probably not be more than 1 however.