September 13, 2018
Related Material:
Additional Participants: Dan Carpenter, Greg KH, Justin Forbes, Leon Romanovsky, and Takashi Iwai.
Eduardo would like to discuss improving annotation of CVE patches. He sees the following challenges with the current process:
Eduardo believes that providing additional CVE information would be helpful when backporting. Justin Forbes suggested that the author send a summary in the case where the patch(es) went in before the CVE was assigned. Takashi Iwai has hoped that git-notes could be used to add post-release notes, but has always encountered resistance to this notion listing difficulties in sharing the notes and scalability concerns (though Takashi believes that scalablity would suffice for CVEs). Greg KH recalled a github tree that tracked the relation between CVEs and kernel commits, but the author was only able to keep this up to date for a few months. Greg noted that post-patch CVEs are the common case, and that Meltdown was a single CVE with a very large group of related patches. Dan Carpenter recalled that Eugene Teo had run a mapping, but instead suggested using the Ubuntu CVE Tracker.
Leon Romanovsky pointed out that if patches were labeled from the get-go, hardware vendors would delay the patches due to contractual commitments to supply fixes to their customers before going public with the problem. In contrast, the current state allows a timely (quiet) fix to the kernel, with their customers being notified concurrently. Greg pointed this out as a reason to avoid marking patches with CVE information.
Both Greg and Takashi profess to be in the “CVEs are a joke” camp.