Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <e61844e3-47d2-4209-b34a-6d94f963113f@gmail.com>
Date: Thu, 2 Oct 2025 21:32:49 +0200
From: Attila Szasz <szasza.contact@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Re: Linux kernel: HFS+ filesystem
 implementation, issues, exposure in distros

*Hi Greg,*

I am writing to formally invite you to a public debate at next year’s 
FOSDEM.

Our past discussions surrounding the HFS+ vulnerability—and the 
subsequent "lamest vendor response" award the Linux CNA received at 
DEFCON—highlighted a significant disconnect in how we approach security, 
disclosure, and community roles. My goal is not to re-litigate a past 
issue, but to bring transparency to crucial questions that many in our 
community are asking about the future.

I propose a moderated discussion in the Linux kernel devroom to explore 
these topics. The idea is to foster a constructive dialogue, not a 
confrontation. The key questions to address would be:

  *

    *The Linux CNA's Role:* What is its responsibility in global product
    security, and is its current approach effective?

  *

    *Vulnerability Triage:* Is the "all bugs are just bugs" philosophy
    sustainable, or do certain flaws require a higher class of treatment?

  *

    *The Future of Linux Security:* What are the long-term consequences
    of our strategic choices regarding security investment and process?

  *

    *The Next Generation:* How does the kernel project integrate the
    perspectives of independent, nonconformist, and younger developers?

  *

    *Regulatory Readiness:* How can the kernel community best prepare
    for the impact of legislation like the EU’s Cyber Resilience Act (CRA)?

I believe FOSDEM's open, community-driven, and unfiltered nature makes 
it the ideal venue. A frank conversation between us would bring immense 
value and clarity to these complex challenges for the benefit of the 
entire ecosystem.

Would you be willing to participate?

*Best regards,*

*Attila*


On 10/2/25 16:34, Greg KH wrote:
> On Thu, Oct 02, 2025 at 03:11:17PM +0200, Attila Szasz wrote:
>> For the sake of product security folks who rely on consistency: the Linux
>> CNA recently registered a batch of HFS/HFS+ CVEs that require manipulating
>> malformed filesystems as a first step. This seems inconsistent with how
>> similar cases were previously handled.
> If you feel the Linux CNA has issued CVEs in an inconsistent way, please
> contact them and the people there will be glad to research the issue and
> get back to you.  They are issuing, on average, 13 CVEs a day, and so
> stuff like this easily gets lost in the firehose.
>
> The Linux CNA is also currently "backfilling" many old CVE entries that
> previously came from the GSD database, and perhaps the issues you are
> referring to came from there.  If so, again, please contact them and
> they will be glad to discuss it.
>
> thanks,
>
> greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.