To be fair, once Xint gave the heads up and the kernel team committed a patch, what was Xint supposed to do? Keep asking the kernel security team to backport patches for the LTS kernels?
As soon as a patch is committed, the clock starts ticking, the exploit will be discovered by reverse engineering recent commits. The commit was made on April 1st, Xint disclosed it on the 29th. If the Kernel Security team had wanted to, they had 28 days to backport patches in the LTS branches...
Yes and that's why the current system where security researchers are expected to reach out to the distro mailing list is flawed and instead there should be a defined pipeline for the kernel security team to give a heads up.
Interesting comment by Greg Kroah-Hartman when asked why the kernel team doesn't notify distros directly
> Nope, sorry, we are NOT allowed to notify anyone about anything "ahead
of time" otherwise we will have to tell everyone about everything.
That's the only policy by which all the legal/governmental agencies
have agreed to allow us to operate in, so we are stuck with it.
I'd be interested in knowing more about that policy... Seems that there should be exceptions for the major distros.
Of course, major distros who have contracts with SLA could also pay for someone to be on the kernel security team and get a heads up like that..
The members of the kernel security team are not allowed to tell their employers anything that happens on the security list. They are there as individual members, not as employees.
And try to define "major distros" in a way that actually means anything viable.
If you just want to count users, then that would only be Android (everything else is a rounding error.) After Android, that would be Yocto, and then Debian. All distros after that are mere fractions of overall users compared to those 3 by number of running systems alone.
If you want to count it as "$ spent on Linux" then that cuts out Android and Yocto and Debian as those distros are free, and would focus purely on the tiny installed base of paid Linux systems, and cut everyone else out.
So what is a fair way to do this other than "we notify no one, and tell everyone to always update their systems to the latest stable releases that we support."
Especially as there is no way for us to determine your use case (i.e. if a specific bug is a vulnerability for you or not.)
Thanks for the reply (and thanks for the work you do)! Fair enough. And the issue is also that without some form of vetting you run the risk of disclosing the 0 day too early?
About that "That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.", you mean that if you disclose selectively, then you become liable for damages? or was it a more direct conversation with legal/governmental agencies?
And for a bug like this, what is the policy with backporting patches to lts branches? Since it was corrected in mainline on april 1st but only backported after the public disclosure. Do you delay backporting to minimise any attention on the security issue?
I guess that having a patch for that land on all the LTS branch would signal to any would be attacker that it's a significant security issue...
Sorry for all the questions but I'm genuinely interested.
If you want to talk about possible exploiting being done. Then Android is out (userland is crippled) and I guess yocto as well (same issue). Not that they can’t be attacked, but because mostly what is there is static. As it’s a privilege escalation attack, that leaves us with anything that is running code by unverified users (vulnerable server software, linux shell services, untrusted software you think you’ve sandboxed with user account,…). That put Debian, Ubuntu, Rhel, Fedora, Arch,… installation as the juicest targets.
Oh... thank you for the reminder to try running the C version of this exploit on an Android phone over adb. The curiosity is now killing me.
Edit: for context, I work in embedded and the aarch64 version (PR #42 in the repo) has successfully popped every device I've tried it against except one where I have a custom kernel to work around a driver issue and (looking back at my git logs) accidentally forgot to enable the user-mode API for alg_aead specifically. Lucky mistake.
Given the potential impact a severe security issue in the kernel (like this one), it seems that the only process that is acceptable for government agencies of various countries (that deal with intelligence and national security) is to either keep secrets from everyone, or disclose them to everyone.
Otherwise, the entities on the priority disclosure list would basically have free access to zero day vulnerabilities. Then every country with a national intelligence agency would invent a distro and try to squeeze themselves onto that list, and things would become very political and ugly if the agents of any country can't get into that list...
Well about 4 weeks ago I was mostly running small models. Some of my favorites were deepseek r1 8b and qwen 3.5 9b. Those are more or less good for boiler plate super fast responses(what I cared about most).
Now I am still trying out all the models that dropped this month. I am running qwen 3.6 35 a3b on a 16gb vram rtx 4060 ti.
I wish I sprung for a 24gb vram card but I never thought the price difference would matter. It seems like it does and I bet in the future there will be more models at this size because this is crazy.
It's not as good as opus if you are doing completely hands off programming but it's completely fine for me. I mostly use it for auto complete or templating a class. Other people are using it for agentic workflows with success.
Check out /r/localllama for more experiences. My set up is not the best but it is working for me and is saving me money.
> My set up is not the best but it is working for me and is saving me money.
I've got a local setup too but unless you consider hardware zero cost, there is really no way to save money. The class of model you can run on <$5k of hardware is dirt cheap to run in the cloud (generating tokens 24/7 non-stop is a few dollars a day at most, possibly even less than the cost of electricity to do it at home).
There's truth to that. But, I already had the card for other purposes. And I don't have to egress or ingress anything. I love having it all local to me. I also love how I can sell the card later. Funny thing, my GPU has gone up in price so I might even have made money
- They ditched their previous android app for a new one that doesn't get the grandfathered accessibility access so autofill is mostly useless...
- On mac, safari integration is consistently flaky. It regularly keeps getting blocked in a loop telling me to unlock 1password when 1password has already been unlocked.
- Passkeys are unreliable to the point of being unusable
- Autofill frequently doesn't work well where for some reason the site with the same url as saved in 1password is not offered during autofill. When 1password used to work, it helped catch phishing attempts because it wouldn't show autofill on pages that do not match. Nowadays because of the shitty autofill, people get trained to go to the app, copy the password and paste it in the website. This means that it will no longer protect from phishing attempts
- The previous behaviour of saving any newly generated password as a password object (not login) was much better. Now newly generated passwords are only available in the password history of the browser extension you specifically used.
- I can't tell 1password to ignore a specific website
At this point, the only reason I'm not using bitwarden is that search is very slow on it with 2k+ passwords.
I'm addicted to reading, I take my kindle and phone everywhere, so will grab them when I'm walking, taking a shower, waiting in line, going to the restroom... Between my kindle and my phone, I read a lot more books than I ever did but I don't digest the information as much as I used to. I also don't make as much associations between what I read and things going on in my own life. So, in a way, despite reading a lot more, I don't think I benefit as much from it.
Now, I'm purposefully forcing myself not to reach to my kindle when taking a walk so that my mind can wander as much as I do.
This is a bit outside the point, but how do you actually read while taking a walk, logistically speaking?
Do you mean you take a walk somewhere, sit down on a bench, then take your kindle out? Or actually read WHILE walking?
I do this all the time. Hold your kindle or book far enough away that you have good peripheral vision of your surroundings. Practice widening your view so you can use your peripheral vision to guide your steps while you walk. Look up at intersections.
I can only do this with books. With my phone I am too focused on the phone to work in two visual modes at the same time, which I guess supports the claims.
For a while, I programmed while walking on a mini-laptop. Nice walking paths where I lived. I was on a hobby project and wanted to spend any minute on it. It wasn't pretty. I kept trying to design a contraption I could wear on my shoulders that worked like a laptop desk.
I also attached a laptop to a treadmill at home, but the static electricity from the rubber mat kept zapping the laptop.
The best result was a laptop on an exercise bike. But the bike couldn't have a high resistance or I would lose concentration.
I have an under-desk bike (just pedals really). Being able to just move my feet while working is nice. But yeah once it turns into an actual workout then I'd be focusing on pedaling and not work.
In my city, if the area is so crowded I can pick a stranger to follow to the common destination or if it's so empty that I don't have to worry about walking into someone, I can confidently read even the most engrossing novel on my phone. I won't dare doing that with any bigger screen because I won't be able to see the upcoming obstacle.
Read while walking, I live in a walkable city. The pedestrian way is safe. I stop reading when I arrive at any intersection then start again once I cross.
Even as a kid, I'd rush to open any magazine I bought before I got back home and would read them while walking.
I live in a walkable city, am safe, but others dont appreciate me bumping onto them. And I want to reach the destination without bumping into walls. Or stepping into bike lane or car lane.
See the above comment by pfooty who explains it better than I did. I don't bump into people nor bump into walls. I use my peripheral vision to see what's happening while reading my kindle.
Honestly, it's never seemed hard to me and I don't remember a time when I was not able to walk while reading without bumping into things. Even as a student when studying for exams, I'd walk around in circle in my room reading my textbooks, for some reason walking helped to better remember...
That does seem to depend on countries and universities.
I do have to say I was appalled by some of the tests I had as an exchange student in the US (will not name the Uni in question but ranked around 60 in us rank). I remember a computer graphics test where a lot of questions were of the type "Which companies created the consortium maintaining the opengl specification?"... it was fully possible to obtain a passing grade just by rote memorization of facts. So I have no trouble believing that in the US it's possible in some unis to get a software engineering degree without understanding or critical thining
Yeah, I hated the keyboard but really did like the touchbar. Apple really dropped the ball there though. We shouldn't have needed Better Touch Tool to make it useful.
As soon as a patch is committed, the clock starts ticking, the exploit will be discovered by reverse engineering recent commits. The commit was made on April 1st, Xint disclosed it on the 29th. If the Kernel Security team had wanted to, they had 28 days to backport patches in the LTS branches...
So, I wouldn't put any blame on Xint there.
reply