Ancestors

Toot

Written by Seth Larson on 2025-01-28 at 15:54

Loved this article from @joshbressers

https://opensourcesecurity.io/2025/01-cve-for-end-of-life/

I see this use of CVE as yet another symptom of a problem: it's impossible to get the attention of open source users (by definition, a group of people you don't know about).

The number of users that read the changelog or mailing list, checks https://endoflife.software, or enables telemetry rounds down to zero. CVE is one of the few messaging systems that works. I expect more creative uses, not fewer, as OSS projects become CNAs.

=> More informations about this toot | More toots from sethmlarson@fosstodon.org

Descendants

Written by Seth Larson on 2025-01-28 at 15:56

@joshbressers Whether it's a good idea or not? Honestly, not the worst idea. One issue with CVE today is that a lack of signal is a signal, but vulnerability scanners aren't able to highlight that signal effectively.

If a project becomes unmaintained or a certain branch is no longer receiving CVEs from upstream, how is the project supposed to signal that to users? They will only see a lack of CVEs: the same signal as a maintained secure project. Uh oh.

=> More informations about this toot | More toots from sethmlarson@fosstodon.org

Written by Samuel Henrique on 2025-01-28 at 16:19

@sethmlarson @joshbressers yeah, I understand if projects don't want to release CVEs for unsupported releases due to the amount of work, but the value of doing so is there. It paints a clear picture of the state of the old releases and lets distributors be aware that they need to fix it themselves. More information is always good.

=> More informations about this toot | More toots from samueloph@mastodon.social

Written by Jeff Triplett on 2025-01-28 at 16:02

@sethmlarson @joshbressers Preface: I have not read this yet.

In a recent conversation with @hugovk (my office hours maybe) I can't stop thinking about why we don't ship Python, Django, etc with EOL alerts (warning?) already in mind.

I know not all projects have a fixed life in mind, but more and more of the core tech we work on like Python and Django do have.

Anyways, I'm going to go read that article now.

=> More informations about this toot | More toots from webology@mastodon.social

Written by Seth Larson on 2025-01-28 at 16:06

@webology @joshbressers @hugovk In theory a good idea, in practice I suspect this will cause mass frustration like a time-bomb that lands in our lap every year :(

=> More informations about this toot | More toots from sethmlarson@fosstodon.org

Written by Alyssa Coghlan on 2025-01-28 at 16:06

@sethmlarson @joshbressers I was not expecting to end up laughing out loud when I followed that link.

I also suspect I'm now going to struggle not to laugh at the mental image whenever distroless containers come up in future conversations...

=> More informations about this toot | More toots from ancoghlan@mastodon.social

Written by Seth Larson on 2025-01-28 at 16:12

@ancoghlan @joshbressers Josh is an extremely funny fellow, I've been loving this blog so far fwiw :) Also going to be carrying around this mental image too, one of those blessing+curse combos.

=> More informations about this toot | More toots from sethmlarson@fosstodon.org