From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AE983D60
	for <ksummit@lists.linux.dev>; Wed, 16 Aug 2023 18:38:18 +0000 (UTC)
Received: from pps.filterd (m0333521.ppops.net [127.0.0.1])
	by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37GH4iTT018061;
	Wed, 16 Aug 2023 18:38:10 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=message-id : date :
 subject : to : cc : references : from : in-reply-to : content-type :
 content-transfer-encoding : mime-version; s=corp-2023-03-30;
 bh=hGndPTtakMhme9AUi7FS/eezjk6g7bPvFyjBiFU/JdA=;
 b=OswAk0SxMPyswej3rUz0laxUo/+On9VMaQafpRYsLMKu07V0Qa2XUc45IrrLfgY4iE8e
 Xdzp53kgTMrJFYndXQi3Dx3lznxUCozbOQHCkNJS0iDiOGU0py3Qx9k1MxWlZrDFtrPB
 Y+pMdCaHf6t/124Q6HB6njk8gkmwyr1Ul+61BgaSN7nRxnoXYpaaFSmBr0GZMCVyXtwj
 nmL5oyWaQwCOkgvhPCUaRvmtac/QH4mPdorgFQge4CDORW1qxT1ASZ0duM677Dh+BHM1
 5Thb7h2iiQyME2ODInSAt0SWo0PjnV//xQCGb7RxcaR/8S/lfZuW79TYEg7MpBt7k0Pa SA== 
Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2])
	by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3se30syvu9-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Wed, 16 Aug 2023 18:38:10 +0000
Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 37GISmYx040098;
	Wed, 16 Aug 2023 18:38:09 GMT
Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam04lp2174.outbound.protection.outlook.com [104.47.73.174])
	by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3sey0sm1kr-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Wed, 16 Aug 2023 18:38:09 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=e8PLcdSpBhtCulKPnGjHoTw2KvjzSddYA+4Dt9sj0CuNYxxaKIUJs2WVVGD4YEKnEZg0wdfS4OtTRoaNGkQVpqK3tjBp3MV1xEPRKkfcQb/tQS00fqapBnkW2VfDkKfXz/mKMdPcR/x03GDCVkUh6HVHIMQ7EjD/0YaHTX9Qy3dlHbjGQ26zuDF6xBE5KyberPf22DNGdq0KUKCa8O61j/jNOtd6+GjcYpe2I7u1uIoBaLLBfD+tfg1BqH+3ZvsTMZXo0n9cpjhjIJ4L83vWmahqDEgPMnqIB8pbI66PU6VlaPhjzAqhpwg4x3SO/tvaZ0c+ZIgdN0qSEhRt8rJ61g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=hGndPTtakMhme9AUi7FS/eezjk6g7bPvFyjBiFU/JdA=;
 b=kLKB6aBycPXPuCNqijcdTn53bAGfZySsa6mOa/sie+zkAAk5kU8Cpb94r0i92sgQqIpHV2Gxd77WsL0BqaZ4L7GBQMzmWdF3kijg0JtNjZcgnzsG3/PT5ef70Rko1a7upZoLd/EcCA8B54WG+JpFgEgdyfQWKg1pwWa1JPH3LTicOzxgA5Hj53TSRRxr8U6nkUCl/0nh3On4U7SBCjFK7c1DaQ16zdmii8fvTd5HlfhFUilrDBsdOgTcYfPYJ9GvW4kpEbQ0pSc1zFkQ/QagV+P+XwwzwN3/FCVbBMvcrPoSFv9/ksnd6LlMmGYP+5iFnXKpoXCbN7nrNl/x2i50mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com;
 dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=hGndPTtakMhme9AUi7FS/eezjk6g7bPvFyjBiFU/JdA=;
 b=DhzFFl8TwMyTTvT/zvvr9m0kN0Xas0QAMIOaW3AkDHbwULgCZQao/XfqkgGmT9CHHV/s+mOb+Jo8KD3G6lzItp31O9voEW/OOzkMgsle9VRI3QLqMDoSi2PFrPeDb2tbrSD+UE8ovbWAzFpQX4x4w/frgEOIe6zrpahrupILXDQ=
Received: from PH0PR10MB5433.namprd10.prod.outlook.com (2603:10b6:510:e0::9)
 by SN7PR10MB6521.namprd10.prod.outlook.com (2603:10b6:806:2a4::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6678.26; Wed, 16 Aug
 2023 18:38:07 +0000
Received: from PH0PR10MB5433.namprd10.prod.outlook.com
 ([fe80::76c:cb31:2005:d10c]) by PH0PR10MB5433.namprd10.prod.outlook.com
 ([fe80::76c:cb31:2005:d10c%5]) with mapi id 15.20.6678.029; Wed, 16 Aug 2023
 18:38:07 +0000
Message-ID: <3f90a4be-9e21-a724-271e-bf91cfb142d5@oracle.com>
Date: Wed, 16 Aug 2023 20:38:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.4.2
Subject: Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues --
 security@korg vs. linux-distros@
Content-Language: en-US
To: Jiri Kosina <jikos@kernel.org>, Greg KH <gregkh@linuxfoundation.org>
Cc: Steven Rostedt <rostedt@goodmis.org>, ksummit@lists.linux.dev
References: <nycvar.YFH.7.76.2308150927190.14207@cbobk.fhfr.pm>
 <658e739b-c164-c360-d6a3-eb4fb15ae02e@oracle.com>
 <2023081515-lake-spotty-6a3a@gregkh>
 <20230815084253.7091083e@gandalf.local.home>
 <2023081540-vindicate-caterer-33c6@gregkh>
 <nycvar.YFH.7.76.2308160014330.14207@cbobk.fhfr.pm>
From: Vegard Nossum <vegard.nossum@oracle.com>
In-Reply-To: <nycvar.YFH.7.76.2308160014330.14207@cbobk.fhfr.pm>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: PA7P264CA0083.FRAP264.PROD.OUTLOOK.COM
 (2603:10a6:102:349::19) To PH0PR10MB5433.namprd10.prod.outlook.com
 (2603:10b6:510:e0::9)
Precedence: bulk
X-Mailing-List: ksummit@lists.linux.dev
List-Id: <ksummit.lists.linux.dev>
List-Subscribe: <mailto:ksummit+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:ksummit+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PH0PR10MB5433:EE_|SN7PR10MB6521:EE_
X-MS-Office365-Filtering-Correlation-Id: 355b3faa-8874-4e38-beb7-08db9e87eecf
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	Sy1q98+nMAb6NKAHp8h0T2whv74apO1JJf3QYjBZL/JUVGTsubdduMQ3SfllTWHy620TUHeTXZqdB+U7eBDS97G67S/ZGJEWCkqwSpGaz3dpVk4/kAIshsLNN9fwbsDLpCN3G1tCDN4Jhx3HkdotYm3rvllvPrVBhwkVw+sHXE3RM6E1FWsS9O1MB0VOwc3s61YDMQGIZf2RGpU9uH0kaa6ZVPfyC2Er0b3+F7Wvo0YWVCLVhVGdmhPNObKcp2WbRUxbBHRLEPmyn6iQi4AV9rKl16unfQyF0Kv8P7mg656ODnQFLJf6nd8Rt3UKeFw+zEhFe0YwOCM4656QEOMMyH2MIAqtajs1o1Aiy92s1TL/e/GE3sKS85K1jAckMygg9eZGIo3vmWq9wWLHCEgqiiGZaiTKw0TkAWIGhPAbBZZN0Ys9uj/GyiitT1BZJuI/8TbDj4ic9XHXpcFWdzCgmgacM5DXtrbpwcvnMsmjlwyO+B7cF2Ux96htRoqXZDGZ37wYm4h9r3OgsfNRIrzngQYzv4VlIyPBUx2zWVHedrjD/EiQz1hFPWx4boTmGgm82cGMWQF2R/v4rKk4pbwQnwgNd0KijzDegPrJwZpQlrguFAhzLg61VOFy2bZQq9lSLU9cr/fQVRxW/ovb8D5g0OUpDLyRd1vVOfE4E4kmWhvZxR3WGvYB3JjWgvSGnNdB
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR10MB5433.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(136003)(396003)(346002)(39860400002)(376002)(1800799009)(451199024)(186009)(15650500001)(2906002)(83380400001)(86362001)(478600001)(6506007)(36756003)(6486002)(2616005)(6666004)(6512007)(53546011)(31696002)(26005)(44832011)(5660300002)(41300700001)(316002)(66946007)(66556008)(66476007)(110136005)(31686004)(8676002)(8936002)(4326008)(38100700002)(35693002)(43740500002)(45980500001);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?utf-8?B?UGZOWXBxZWVHUk5EUTdlTDFkL3BuWU5QblE3K1ZDVGpjZ2E4T3JVd1AvenVN?=
 =?utf-8?B?OGh1YWVNYkU2cm1WYTN4YVZhZzZMckVFZnRJN3k1N0U4SWkySmxCNTVURWg0?=
 =?utf-8?B?aDBILy83L1NXV3NsWFZ1N0hjc2Y4RWUzaGNhTjFvOWxEaXNyWllDdnhoelE3?=
 =?utf-8?B?Z2ZaT3gxeGRZTGIvSXlEYU80VW13ZHlWK2RHS0pSdC9Ka0M1NGJWRzRPRHdH?=
 =?utf-8?B?bEJQWWk2V3VSbWE4MlZMYWQ3UE90NCtIanYxK2Z4dE9KZUY5N0I4ZHBVWEI2?=
 =?utf-8?B?L3hsWlMvWFFBQTFvekJkd3E0M2Y1Q0ZqMEcvcWgrM25ZMTRPWVlaQjh6WFhG?=
 =?utf-8?B?N09qSUxyK2lJR082UmRrTThJRzFDZUg0LzltMytCbzI2RHZId203bVVhQUxt?=
 =?utf-8?B?NUhhSFprQTdYSVYzNEMxMUV4cEFtNUxCT2p2R0R2TVlDTEpOQnA0b1JrWjhZ?=
 =?utf-8?B?NklXaWRiRDJkeDdSSTI4ZzhOUlBWS2htT0JsY3Z2S0NQQ0QvTHNNZlRLMjZW?=
 =?utf-8?B?Uy9LV2ZmVmxmY1lMUW5XbFoyM3Q4OXV5dEI3QXlMQXhlYUNsQ0xvajZwRWJJ?=
 =?utf-8?B?WHZYK3pvOGFVdjV6dFlIeWYzbDlnd3plMW1PV1hsMlhhc2ZFWG8wMjAybG1C?=
 =?utf-8?B?bFFmSCtscmw4M2tseEZoZFNhc0ZJSjI1YktKYU8xUHVNVlRMVTkrZHJzcGJS?=
 =?utf-8?B?ZHhmL1ZCbUZzNS9RNTVVL2VEQVEzMDhUZm1oaVFGc1JQRFMybEc3NkdYSHBU?=
 =?utf-8?B?SWlxeS85RDRSemxRNFI1bjJTWFdkM0lNYVVjT2VXeFVrRmRWOUNpL291Wmlv?=
 =?utf-8?B?WGRydWJwTTdKRjJxejY1QlZ5ZHhHRVBGd0hyUk8wdzRHUXpCNk5MS0U2N3Ro?=
 =?utf-8?B?WDUzRkIzUzFCcWZQYmRjdFBIbUFNRGxxTWRIYTZ6WWQ1ZFJrZmZUUFRyS0Rs?=
 =?utf-8?B?NVgwdmtZRHVBQXBFTUp3S2U1Z1hHeWxVc2N4NTluSFRkWWpXRldKN1VhMHUx?=
 =?utf-8?B?OGhabXNFTmxlSlRKNjAyVWZXaWxUOUlrc3lJRU9CbkQwbkhDNzFEUnpENTdV?=
 =?utf-8?B?ZlJ0S3l2cTcrNmM2WGhqdDhjem03T2o0dzRrb1UyMnorREt3SWNvL1A1Z1Z2?=
 =?utf-8?B?aGgzU2xWZzhxZ1FOODF5U0pEakMrMnorTWRYV0JiS00wdldZbVZZUWFPNCt6?=
 =?utf-8?B?aDdQejdRRmk2R1pnamgrMnNTQnFEajhPZWNPWHJ3TGF1MlhwVkdvN1FxcW43?=
 =?utf-8?B?THFlNkoxSVYzWTJzQ1lYT3VZMTZ4ckJyemI2c0xrb3NHQWpTemFwODY2TzYw?=
 =?utf-8?B?aTg5bmszSjBxNFhzRCs5WlQyRURFd0FNajVGTmJDbVdrM3J0ZkdrK1NEOFNj?=
 =?utf-8?B?NlVJbVg1cWlqczhLWWNlMTI2MThoc3BLQ0RZMENKVFF3cmFWUWk2Ry9STjdu?=
 =?utf-8?B?c0dGZG1VTHBUTmdvQnEzQW93cEpGblplQ3lvRGFhSWZ2ZG1XbTFiTFRWU21N?=
 =?utf-8?B?aUVzaFduUDNKL01USmdmOERTT2ovL1pJTTFkV0FPU3RPM1Zwa0U0bHlDTEIv?=
 =?utf-8?B?S0hEM1lla3Jmelk1SklvdFFBS2lNVlg1SmVlOGcxamhyM0NBNlpHWFNLSi9q?=
 =?utf-8?B?SWsvNjVqeGM1cE9TQWhualNsZFBtaDZndklzM011RUVUcDR3Tk1uaHpYSndY?=
 =?utf-8?B?dkxVdWZDOGZ5YnVXVGY1aTFYS0VrY3BQdXY4UDBVUTFodmNrc3BIdkFjeWZk?=
 =?utf-8?B?UVdzRmp3SG50dHN1dmQvSVBoV2UrWUhYTTFWajdEaDB4ZHRyTTRxY0hZcjRF?=
 =?utf-8?B?TUtDdmpjc0FTZEc1ZDV1RlhhRHNwZzZzNXpTeWdsUkJsNTI0NUt6bHVPemxI?=
 =?utf-8?B?SFlpN04zVGk1OUlrSzJtbGJBZzdyNWUwUTdFVGlkbW4xMzNJMVBVellQOU9z?=
 =?utf-8?B?R0E3aFNvKytZL25qMEhUT0dlM2ZNYWkwRlNaNCtiOGtIYXBka2ppMERyWE45?=
 =?utf-8?B?elZEanZHUXl4SHZURGM0cG1XWXdGZFhET0xCSmJzOEoySExQdTdNenJXeTJK?=
 =?utf-8?B?S0o0SG9PMmIydVIzMzg5bHU4ZXphZ213cXo1SHNvU2o1cTNwck1kelhHbmhV?=
 =?utf-8?B?V0s1THpzMHRYeFI4VjFPTlRJb3JyL21yWXM4aUtnY0lKVUtOUGZKM2RtQzk4?=
 =?utf-8?B?N2c9PQ==?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 
	xswZzzLAUkfuae9rQwX2h5o+gXYIVu5W+TCIs2FUgRGnd4pNTN9lbXJmldZd2AWtp5/RLaha2ZU8OqRgdh3duhHE/xW8pvNuCXjahHNwRM+t9BQBwEg8Lf4UbqSv4LJ1P6NQHP5V+rCtFQwDF91fMYqhVcVbbMDY4H76MdIKAPOKYgHgz2Wb28nJIPaki9kwtTdGIBgEfed5iWhanagxxbFUqPASKkXXRzaoZBafdIvbv2crymrwD8IfIwYHlkNi+uPHGWq+IdwOekfPDgpznaX8jdpiMATROfU8B2pF84HRGLSlkTABt2RCJL5/xFomMXNUIC/CgnpTwa3WX4j1uFF5XBjOZwtHsmfWdSVO/Suw5cmG6myMZrBBe5Q5XxYCSIf8B1U5CF+ruX7g2Og0xp/YOLQoSEHl/GUwpFpOX0IvuRkEkLof/2xjmJwMysJ5k3/KVdwft44kk8geHGvUWFTtd80ph5ZVUYk30GhFWDof1y/HuYA0pOqZlRptgmo+kWcEFuqlVuD7woc/YR5xhzrWVycDrOOE59ndZX4JIHgrFWsdJnO7E25jJBApJEuP4sYmXCBu6GlKu8AryYYEFZJRte/n18KK/knPSaukyF5Pe7aNFKpXo7Q/ij/aUfgIHTYaFEFAMQnbdfQseRMJ6HHkwqMcoRhzKv5ujpqd4le8pT/oe1K85QqhdM4/CmrGOLRGejYkGNqbJdKlIqou1ZvedkiT4oStCKCmJLIKCqaVz9DjKgCEistdnVoinfBr/XMY+VHPxwmnbKrbufV0gZAT5PVCHmfy8jnyxAt1+Mjf8otyr3WO/Mq/tgBAocCa0rEGGkdccUcoJ9QaAG4fUulTFUPw9WbtSUTpdFQAm7bPYt0uwGOAWPGirIU58TMF
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 355b3faa-8874-4e38-beb7-08db9e87eecf
X-MS-Exchange-CrossTenant-AuthSource: PH0PR10MB5433.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2023 18:38:07.0239
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 2bWWyUuO5EQtCp0D6fofJqUJu7SpSgYOY/Oh3LrYzVezv4qa+RO7Nh4VWlk/DWza4IevFDKm9mxEpoCW+RjEVpBcI59enjTLlqCbN2PisH8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR10MB6521
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26
 definitions=2023-08-16_18,2023-08-15_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 mlxscore=0
 spamscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000
 definitions=main-2308160163
X-Proofpoint-GUID: vqBjuL5XW9LXBj15RQqOHrrQDLQyEsyP
X-Proofpoint-ORIG-GUID: vqBjuL5XW9LXBj15RQqOHrrQDLQyEsyP


On 8/16/23 00:17, Jiri Kosina wrote:
> On Tue, 15 Aug 2023, Greg KH wrote:
> 
>> Why are they not just doing what the huge majority of Linux users doing
>> and taking the "feed of known issues that resolve problems before they
>> are public knowledge" that we provide today for free to them?  Because
>> they somehow think that knowing a specific single bugfix is more special
>> than all of those other bugfixes, which honestly, is just loony.
> 
> If you'd like me to turn this proposal into "What can we do to make sure
> that most major distros are eventually basing their kernels on -stable"
> discussion, I'd be happy to do that, but I believe this has been discussed
> quite extensively already.

I really think these are two different and orthogonal topics and we
ought to treat them separately: tracking stable vs. having advance
notice for some vulnerabilities.

(Regarding tracking stable, I fully agree that all distros should be
keeping up with stable and not just cherry-picking specific fixes or
whatever commits happen to have a CVE assigned. No contest there.)

This proposal is about embargoed security issues, issues that were
reported because somebody knows (or has good reason to suspect) that
an issue is exploitable and is planning to disclose that fact publicly.

I posit that there is objectively a difference between:

a) vulnerabilities that have been discovered and reported by a
security researcher and where a detailed analysis and/or PoCs/exploits
are certain to be made published publicly; and

b) patches that appear in mainline/stable with no vulnerability
analysis and no known exploit vector.

I agree that both categories of issues may be equally serious or
equally exploitable, so the difference is in the fact that somebody
has done a thorough analysis of specific bugs and/or is planning to
disclose that publicly.

If distros are only made aware of a vulnerability when it is
disclosed publicly by a security researcher, that leaves a window of
opportunity for attackers -- patches that appear in stable do not
immediately make it onto end-user systems for a variety of reasons:
the time it takes to backport the patch (as most distros carry at
least some out-of-tree patches), testing/validation (especially if
there were conflicts or other issues with the patch), and then of
course the time it takes end-user to upgrade.

I think several distros at this point are making use of live patching
technology -- for really critical vulnerabilities, this has the
potential to reduce that window to very close to zero: live patching
updates that are available and can be applied from the moment the
vulnerability is disclosed publicly.

So it really isn't a choice between one or the other -- the best
security for end users is when we do both.

(I should add that I don't think anybody is really asking for a private
feed of s@k.o -- IMHO the best solution would be for security
researchers to notify the distros list when s@k.o has a tentative or
final patch, before disclosing the vulnerability publicly. The best path
I see for that is: 1) relax the linux-distros policy to not require
posting more than what the reporter is comfortable disclosing, 2) fix
the kernel.org documentation to be clearer for reporters, 3) have a
person on s@k.o who can guide the reporter towards linux-distros if they
are planning to do a public disclosure anyway.)

Thanks,


Vegard