For Linux kernel vulnerabilities, there is no heads-up to distributions

[-]

imforit@reddit

The people who discovered and disclosed CopyFail were pretty sloppy and shady. Didn't even warn the distros. They got one patch to the limux kernel and at the end of the month surprise-launched it at everyone else. The site is AI slop. Makes NOT want to buy their services ever in the future.

[-]

yawaramin@reddit

Why would random security researchers be contacting distros? Shouldn't the distros be working with the kernel people to push out security patches? That's literally their job?

[-]

matthieum@reddit

I'm guessing that there's an undocumented "usual way to do this" that us mere more mortals are not aware of... and the folks from CopyFail may not have known either.

[-]

yawaramin@reddit

More context from Greg K-H: https://www.openwall.com/lists/oss-security/2026/05/01/3

Nope, sorry, we are NOT allowed to notify anyone about anything "ahead of time" otherwise we will have to tell everyone about everything. That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.

[-]

D3PyroGS@reddit

otherwise we will have to tell everyone about everything

what exactly does that mean in this context?

[-]

yawaramin@reddit

More details here: https://docs.kernel.org/process/security-bugs.html

...the kernel security team solely focuses on getting bugs fixed, other groups focus on fixing issues in distros and coordinating disclosure between operating system vendors.

If you report an issue to the kernel maintainers and security team, they will work with you to get it fixed and released asap. They won't give a heads-up to anyone that an issue was reported, they just straight up release the fix. They also recommend not notifying the linux-distros ML until they actually have an accepted fix. linux-distros is where the distros coordinate disclosure.

[-]

rdtsc@reddit

That doesn't explain why coordination (or even just notifications) between the kernel team and the distros themselves is somehow not happening and forbidden.

[-]

edgmnt_net@reddit

Probably because that prematurely widens the circle of people knowing about the vulnerability. Is it ok to tell a couple of security people from Ubuntu and Fedora? What about 20 other distros? What happens if one of those 30 people now involved leak that info before a fix is in place?

[-]

wademealing@reddit

Distros used to deal with this all the time, hell I used to deal with it all the time.

[-]

yawaramin@reddit

Several parts of this security issue reporting process seem quite bonkers. Another one: you have to email the corresponding kernel subsystem maintainer, who you have to find by running a Perl script, and cc the security team. You can just email the security team, but you're supposed to try the subsystem maintainer first. Why not just email the security team who could set up an automation on their end to find the subsystem maintainer first? Who knows. That would make too much sense.

[-]

matthieum@reddit

Governments making the world better, one law at a time... :/

[-]

edgmnt_net@reddit

I wonder what laws they're referencing.

[-]

bnelson@reddit

There is no such thing as sloppy or shady disclosure. These memes need to go away. Vulnerability researchers don’t owe anyone anything. Coordinated disclosure is some nonsense Microsoft cooked up to control narratives. “Responsible” disclosure is a term people adopted who don’t understand how independent vulnerability research and disclosure work. I am hard line on this after 20 years in the industry. I have played it every way when disclosing vulns and landed on: you get what you get as a vendor. Be happy it wasn’t sold to a third party and exploited for years without anyone knowing.

[-]

simonides_@reddit

You are talking like a small child. "I don't owe anyone anything". Yet you do if you acknowledge it or not. As soon as you are in charge of a larger system that is actually used by prople, you are going to wish for something like responsible disclosure. It is not a bad thing, however, (this is where we agree) it shouldn't be abused to ignore / abuse the reporter.

[-]

bnelson@reddit

No such thing as responsible. Just an Orwellian discourse on control. I /am/ responsible of very very large systems. I don’t care. I appreciate some heads up but we do not expect it in our program. We expect nothing. We run one of the 5 largest bug bounty programs in existence. You are simply wrong. I respect everyone’s freedom.

[-]

gmes78@reddit

The only thing that went wrong here was the kernel people not immediately backporting the fix to older LTS versions.

[-]

shroddy@reddit

If that happens more often in the future, maybe the idea behind the LTS kernels might be dead...

[-]

laffer1@reddit

For clarification, this seems to be quite common for many os projects. For instance, I don’t typically get heads up about patches in FreeBSD for MidnightBSD. It’s a surprise zero day for me. In the past, one of the security guys did tell me but that isn’t currently happening. He often couldn’t tell me exact details then.

When meltdown hit, Intel didn’t tell me. 3 days before someone gave me a hint something big was coming. That was it.

There has been debate about not doing any advanced notifications for cves going forward so they are always zero days. The reasoning is credit for the first guy due to llm finding things quickly and because they can be found concurrently so often now. I hate it personally.

[-]

krypticus@reddit

I don’t understand what you said…

[-]

bunkoRtist@reddit

This is normal and not a problem. Distro maintainers can take the LTS kernels as is or maintain patch piles out of tree. That's their choice. If it's the former, they get the kernels immediately upon release. If it's the latter, then they live with it because they didn't upstream their patches.

[-]

Eleanor_Mattox@reddit

For developers tired of juggling API keys, aggregator platforms solve the multi-key headache. Worth evaluating if you use more than 2-3 AI providers regularly.

[-]

sacheie@reddit

SPAM. You keep commenting about this token bullshit on unrelated posts.