<rwmjones_>
it also seems to be based on their false belief that Red Hat has to backport every CVE (which is not true, eithe rby practice or by law)
<davidlt>
There is EU Cyber Resilience Act (not sure the current state)
<davidlt>
IIRC that means there should be a DB for EU/single market for CVE (required to report, incl. info about patch within 72 hours IIRC)
<rwmjones_>
yeah but it doesn't require all CVEs to be backported (nor the US thing which I've forgot the name of right now)
<davidlt>
SBoM will become requirement at some point, which it will be easy to identify affected software components and act fast (?)
<davidlt>
I am following this stuff, but not really actively (yet).
<rwmjones_>
for sure, we're adding SBoM support to RHEL at the moment
<davidlt>
Yeah, US will have something similar too IIRC
<davidlt>
I wish this was a single solution instead of EU and US doing similar thing
<davidlt>
I remember talk(s) from kernel main folks about this. IIRC they are kinda pushed to do it.
<davidlt>
Giving each patch (-fixes) a CVE is cheap on their side.
<davidlt>
It would be expensive to cross-check every patch for potential vulnerability.
<sorear>
what's the solution to "vulnerability discovered in library which only affects a tiny fraction of users, but the fix is invasive and likely to cause more accidental breakage than the number of affected users"?
<davidlt>
I guess this will depend on US and EU ruling about different fields.
<davidlt>
Like medical devices based on SBoM might require a different action from some crop field IoT sensor.
<sorear>
and its corrolary "vulnerability discovered which only affects users that were using the library wrong to begin with, and is arguably actually a bug in the users"
<davidlt>
Basically this will allow measuring and accountability regarding "lazy admins" or something.
<sorear>
someone filed a cve recently against riscv that if you take an exception before mtvec is initialized, you jump somewhere random
<davidlt>
The amount of ransomeware and other hacking are increasing, and that could be (and is) hospitals, utility companies, etc.
<davidlt>
is that a spec bug, or HW implementation detail? :)
<davidlt>
How does that affect Software Bill of Materials?
<davidlt>
I don't know how this works with specification (ISA) and hardware bugs.
<sorear>
imo it's the spec working as designed but once people decide that something is a vulnerability it can be very hard to change their minds
<davidlt>
Well, what happens if RISCV crates their own CNA and issue their own CVE? :)
<davidlt>
In that case they could reject this.
<davidlt>
as we can see projects are slowly taking ownership (becoming CNAs)
davidlt has quit [Ping timeout: 255 seconds]
zsun has quit [Quit: Leaving.]
zsun has joined #fedora-riscv
davidlt has joined #fedora-riscv
davidlt has quit [Ping timeout: 264 seconds]
<fuwei>
rwmjones_: Hi Rich
<fuwei>
sorry for late response
<rwmjones_>
fuwei: hey, no problem, I forgot you're on holiday!
<rwmjones_>
let's have a chat next week when you're back
davidlt has joined #fedora-riscv
<davidlt>
rwmjones_, I don't think there was any feedback on meson side (yet)
<rwmjones_>
davidlt: yeah I was going to avoid poking that nest for a while
<rwmjones_>
but we're still right
<rwmjones_>
we might have to maintain a downstream patch for a while
<davidlt>
rwmjones_, OK, we just need not to forget about this
<davidlt>
Well, yes/no/depends ;)
<davidlt>
Have you seen my earlier message about filesystem package?