The Linux kernel is 38 million LOC. #curl is 170K. The kernel is 223 times bigger.
The Linux kernel ships 60 CVEs per week, 3100 per year.
curl ships on average 13 CVEs per year, 3100/223 = 14
== Roughly the same CVE/line of code ratio.
This entry was edited (4 weeks ago)
This website is tracked using the Matomo analytics tool. If you do not want that your visits are logged in this way you can set a cookie to prevent Matomo / Piwik from tracking further visits of the site (opt-out).
Augier (fr & en) 🏴☭
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Augier (fr & en) 🏴☭ • • •Augier (fr & en) 🏴☭
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Augier (fr & en) 🏴☭ • • •Augier (fr & en) 🏴☭
in reply to daniel:// stenberg:// • • •Lorenzo Stoakes
in reply to daniel:// stenberg:// • • •if you actually go read the kernel 'CVEs' you'll see that this rationalisation is simply inaccurate.
Greg is trolling the system it's as simple as that. But ah well.
daniel:// stenberg://
in reply to Lorenzo Stoakes • • •Lorenzo Stoakes
in reply to daniel:// stenberg:// • • •I don't claim to be an authoritative expert on all, but it's a widely held opinion among kernel devs (at least those I have spoken to in person). And there are numerous examples of questionable things.
Essentially all commits tagged as fixes are assumed to be exploitable security flaws.
You could go further and argue every single commit is a potential security flaw, and by the logic applied, that is absolutely valid. Luckily Greg hasn't quite gone that far...
The issue is there are serious downstream effects for enterprise kernels whose customers demand that CVEs are addressed, so overnight companies have to scramble to handle the deluge.
Of course this all speaks to CVEs being a poor system for this kind of thing, which is why this troll is happening, a sort of 'well the official definition of a CVE is X so I will give you all the Xes'.
Anyway it's all a bit moot, this is just how things are now...
daniel:// stenberg://
in reply to Lorenzo Stoakes • • •Timo Zimmermann
in reply to daniel:// stenberg:// • • •Josh Bressers
in reply to daniel:// stenberg:// • • •If we math this out, that's around 1300 lines of code per vulnerability
The @ecosystems folks are tracking 200 million repos and 9 million packages
2024 will see about 40,000 CVE IDs total
This is fine
daniel:// stenberg://
in reply to Josh Bressers • • •@joshbressers @ecosystems one CVE per 13K LOC per year according to my math.
So if 10 million packages average at 100K lines each (blatant assumption), we could be looking at about 76 million CVEs/year. =)
lidicrous
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to lidicrous • • •a list of publicly known cybersecurity vulnerabilities
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Nicholas Sushkin
in reply to daniel:// stenberg:// • • •prom™️
in reply to daniel:// stenberg:// • • •Dr. Christopher Kunz
in reply to daniel:// stenberg:// • • •samurro
in reply to daniel:// stenberg:// • • •Niko (Martin) :heart_ace:
in reply to daniel:// stenberg:// • • •