Greg K-H

Greg K-H's avatar
Greg K-H
πŸ›‘οΈ gregkh@social-kernel-org.mostr.pub
npub1hfel...k5ww
Looks like the AI companies have finally run out of money as they are asking various open source projects to test their closed source products for them for free. What could go wrong with giving access to an unknown tool to private code repos? If I didn't know better, I would think this is an elaborate phishing scam, or they have run out of data to scrape and need more training material. Gotta admire their brazenness... image
Prediction for the potential future: When the AI coding agent companies are just about to run out of money, down to their last few % raised as none of their customers are actually paying the real cost required to run these services, they pivot and take all of the uploaded code that was willingly sent to them, turn it into thousands of products / services to sell / rent, disconnect the public api endpoints leaving their old customers helpless as they no longer remember how to program "in the raw" and can not understand their own codebases, and compete directly against them putting their own customers all out of business which finally results in a positive income stream and "validation" of the coding agent companies previously over-hyped business valuations. "But copyright law will prevent this!" you say...
The kernel CNA assigned their 10000th CVE last week, CVE-2025-68750 So far the β€œstats” look like: Year Reserved Assigned Rejected A+R Returned Total 2019: 0 2 1 3 47 50 2020: 0 17 0 17 33 50 2021: 0 732 24 756 16 772 2022: 3 2041 47 2088 0 2091 2023: 1 1464 47 1511 0 1512 2024: 6 3069 96 3165 0 3171 2025: 73 2421 39 2460 0 2533 Total: 83 9746 254 10000 96 10179 Note, the β€œyear” is the year the bug was fixed in the kernel tree, NOT the year the CVE was applied for/assigned.
Rust is is not a "silver bullet" that can solve all security problems, but it sure helps out a lot and will cut out huge swatches of Linux kernel vulnerabilities as it gets used more widely in our codebase. That being said, we just assigned our first CVE for some Rust code in the kernel:
Making sure you're not a bot!
 where the offending issue just causes a crash, not the ability to take advantage of the memory corruption, a much better thing overall. Note the other 159 kernel CVEs issued today for fixes in the C portion of the codebase, so as always, everyone should be upgrading to newer kernels to remain secure overall.
Starting to write up a series of articles about the Linux kernel CVE work that has happened in the past 2 years, starting with some "back to basics" information about how Linux kernels are numbered as many people/companies really don't know how we do this, and it matters a lot in tracking bugfixes and how to determine "vulnerable" and "fixed" kernel releases:
Linux Kernel Monkey Log
Linux CVEs, more than you ever wanted to know
It’s been almost 2 full years since Linux became a CNA (Certificate Numbering Authority) which meant that we (i.e. the kernel.org community) ...
 and
Linux Kernel Monkey Log
Linux kernel version numbers
Despite having a stable release model and cadence since December 2003, Linux kernel version numbers seem to baffle and confuse those that run acros...
The last 5.4.y kernel release has now happened:
Making sure you're not a bot!
 Please don't use this branch anymore, it's really old, and pretty obsolete, and has over 1500 unfixed CVEs in it:
Making sure you're not a bot!
 And if you are stuck with that kernel version for some reason, go ask your vendor to fix those 1500+ CVEs, otherwise you are paying for support that doesn't actually do anything for you...