The upstream Linux kernel doesn't differentiate between security bugs and "normal" bug fixes. So the new kernel.org CNA just assigns CVE's to all fixes. They don't score them.

Look at the numbers from the whitepaper:

"In March 2024 there were 270 new CVEs created for the stable Linux kernel. So far in April 2024 there are 342 new CVEs:"

Yes ! That's exactly the point. Trying to curate and select patches for a "frozen" kernel fails due to the firehose of fixes going in upstream.

And in the kernel many of these could be security bugs. No one is doing evaluation on that, there are simply too many fixes in such a complex code base to check.

Oh that's really sad. I hope they use a more up to date version of Samba :-).

I don't see that argument in the blog or paper.

Did you read them ?

There are many more unfixed bugs in vendor kernels than in upstream. That's what the data shows.

You're missing something.

New bugs are discovered upstream, but the vendor kernel maintainers either aren't tracking, or are being discouraged from putting these back into the "frozen" kernel.

We even discovered one case where a RHEL maintainer fixed a bug upstream, but then neglected to apply it to the vulnerable vendor kernel. So it isn't like they didn't know about the bug. Maybe they just didn't check the vendor kernel was vulnerable.

I'm guessing management policy discouraged such things. It's easier to just ignore such bugs if customer haven't noticed.

Gordon, Gordon, don't you ever get tired of your obsession ?

"Towards thee I roll, thou all-destroying but unconquering whale; to the last I grapple with thee; from hellâ(TM)s heart I stab at thee; for hateâ(TM)s sake I spit my last breath at thee."

Very astute comment. The white paper shows that the frozen "vendor" kernel model really doesn't work. And if people can't / won't upgrade then maybe alternative security precautions around a known insecure kernel is the best we can do.

This. Non-slip surface, resiliant, fits in one hand, good battery life, useable lifetime of at least 5 years. That'd be pretty much my perfect phone.

What's that obsession with thin? Compensating for a beer belly?

Can't remember anyone ever posting anywhere that what they'd really want is a thinner iPhone.

I want a new SE. I want a phone I can use with one hand. I want a phone that after 5 years still holds a charge for 2 days. I want a phone that I can drop once or twice and it won't be damaged. Yeah, I know that's what cases are for, but I detest cases. I want a phone that doesn't slip out of fingers or pockets.

Also, I want a phone that detects when you are speaking way too loud into it and shuts down when you do. That would make a ton of people WHO THINK YOU NEED TO ALWAYS SHOUT stop doing that.

As well as nonsense, extreme partisanship, filter bubbles and circle-jerking.

It's probably one of the worst sources to train an AI on unless you're working towards fully automating social media so that no actual human every has to post or ready anything there.

I don't know, man. I've been using it for certain things until now, but seeing it listed alongside Gnome, PHP, and systemd, makes me question whether I should be using it at all. Is it possible that I have simply failed to *notice* that it's extremely terrible in some obvious way?

Cryptocurrency essentially *is* fiat. It's just... decentralized fiat. The reasons people believe it's worth something are different than with a traditional fiat currency, and rhetoric notwithstanding it's more of an investment asset than a currency, but fundamentally, it's only worth whatever people believe it's worth. It's not backed by any kind of tangible specie. That's pretty much the definition of fiat (in the context of financial assets).

There's money involved.

The ethereum itself isn't currency; but it's an asset that people purchase as an investment, which puts it into the same _general_ category as currencies, stocks, bonds, futures contracts, and so on and so forth. Cryptocurrency in general (not just ethereum specifically but also bitcoin and others) is a bit unusual as such assets go, in that it A) has no tangible value except "whatever people will pay for it", like a fiat currency, but B) is not backed by any of the usual sorts of trusted organizations (like central banks) that generally back fiat currencies. This is a somewhat odd combination, but it's not completely unprecedented. There are for example hedge funds that take a net-short position, so that in technical terms they aren't reliably backed by anything really tangible either. It's not advisable to keep your entire net worth tied up in that kind of investment, but as part of a larger portfolio, it can be manageable.

It's important, in contexts like this, to realize that even currency is not precisely the same thing as money. If it were, the government could easily make everyone rich by just printing more currency. That has occasionally been tried, by people who really didn't understand how money works. None of those experiments turned out very well, for reasons that ought to be obvious. Currency is principally important as a proxy for money, and in everyday life when you're going to the store and buying something mundane like a pack of gum, the difference can be largely ignored (provided the currency is reasonably stable). But when you start talking about macroeconomics and investments and stuff, it's important to know the difference.

It's really not sci-fi. It's fantasy in space, also sometimes called "space opera". The arguments that the fans have, consistently don't have anything to do with the physics of how the technology works, because that's not important to the series.

I don't think this is so much "Don't do that, bad things will happen" as "Don't use our facilities to do that, it makes our insurance company's lawyer nervous." It doesn't take very much to make an insurance company's lawyer nervous. Pretty much using any facility for any purpose that the facility wasn't specifically *intended* to be used for, is going to be a problem in this kind of context. If you have a gym, you can play basketball in it, and your insurance company will probably be cool with that; but if you start allowing teenagers to roller skate in the gym, and the insurance company gets wind of it, you're going to have a problem. Spraying saltwater into the atmosphere to see if it changes the clouds, is clearly not what the museum ship was meant to be used for, so yeah, the insurance company's not gonna like it. That's not what they agreed to insure.