Looking forward to posts links in the series. This seems like a bit of a tease.
2nd 'graph of TFA links five talks on the topic all within the past two years.
Perhaps I misunderstand, but aren't those far above the "So here’s a series of posts" and its bullet list?
[flagged]
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
I'm surprised Firefox didn't warn me when I went to the page. Hostile teleco/MITM waiting for HTTP traffic are a real-world way that nation states deliver exploits.
PKI is basically powerless against nation states executing a targeted MITM attack. It does prevent them from passively snooping everything.
It did for Librewolf -- what I moved to from Firefox. Self-Signed certs I'm down with, http I'm not, and never will be for any reason. Plain-text data transmissions have no acceptable reasoning.
[deleted]
You do realize self-signed certs are useless, could have been tampered with, and could have just as easily been created by a malicious actor?
There's a reason most default self signed certs are called "snake oil".
You can pre-share the certificate out of band, or set up your browser to TOFU like SSH does. Then they are not useless and may be superior to PKI for certain threat models.
You can enable it in the settings.
Posted on December 8, 2025 | Greg K-H
It’s been almost 2 full years since Linux became a CNA⁰ (Certificate Numbering Authority) which meant that we (i.e. the kernel.org community) are now responsible for issuing all CVEs for the Linux kernel. During this time, we’ve become one of the largest creators of CVEs by quantity, going from nothing to number 3 in 2024 to number 1 in 2025. Naturally, this has caused some questions about how we are both doing all of this work, and how people can keep track of it.
I’ve given a number of talks over the past years about this, starting with the Open Source security podcast right after we became¹ a CNA and then the Kernel Recipes 2024 talk, “CVEs are alive, but do not panic”² and then a talk³ at OSS Hong Kong 2024 about the same topic with updated numbers and later a talk at OSS Japan⁴ 2024 with more info about the same topic and finally for 2024 a talk with more detail⁵ that I can’t find the online version.
In 2025 I did lots of work on the CRA⁶ so most of my speaking⁷ over this year has been about that topic , but the CVE assignment work continued on, evolving to meet many of the issues we had in our first year of being a CNA. As that work is not part of the Linux kernel source directly, it’s not all that visable to the normal development process, except for the constant feed on the linux-cve-announce mailing list⁸ I figured it was time to write down how this is all now working, as well a bunch of background information about how Linux is developed that is relevant for how we do CVE reporting (i.e. almost all non-open-source-groups don’t seem to know how to grasp our versioning scheme.)
There is a in-kernel document⁹ that describes how CVEs can be asked for from the kernel community, as well as a basic summary of how CVEs are automatically asigned. But as we are an open community, it’s good to go into more detail as to how all of us do this work, explaining how our tools have evolved over time and how they work, why some things are the way they are for our releases, as well as document a way that people can track CVE assignments on their own in a format that is, in my opinion, much simpler than attempting to rely on the CVE json format (and don’t get me started on NVD…)
So here’s a series of posts going into all of this, hopefully providing more information than you ever wanted to know, which might be useful for other open source projects as they start to run into many of the same issues we have already dealt with (i.e. how to handle reports at scale):
Linux kernel versions, how the Linux kernel releases are¹⁰ numbered.
But how do you know, that if kroah.com would use Let's Encrypt it would belong to Greg K-H? What if his true WEB-site would be e.g. greg-k-h.com?
Right. Also, when it comes to the other aspects of TLS, such as preventing middlemen from making sense of what information flows between you and the server, what exactly is the threat in this case? I mean, it's a public blog post, which you only ask to read and so you are served.
[deleted]
It's not about threat, it's about privacy. I understand your statements but 'what is the threat in this case' to answer that: I don't want to know, I've moved on from those worries. Always encrypt.
What privacy? Whoever is watching your traffic can see you accessed their website with HTTPS, they can guess with high accuracy which article you are reading based on the response size.
Objectively better than serving 12MB of JavaScript slop, trackers, and "analytics" over HTTPS so you can share a recipe for flan.
Greg K-H has more credibility than 99% of posters here.
He's literally the #2 guy in Linuxworld (behind Linus). What have you done?
You enumerated the security risks of clear text transmission over the Internet and everything came up green because the blogger works on Linux?
If you are too afraid to click a cleartext HTTP link then don't; it's not for you. Just spare the rest of us the melodrama.
While you are at it, better not ever update Debian or any number of other OSes because their updates are served over plain HTTP.
You almost had a great point here. If he began every blog rant with BEGIN PGP SIGNED MESSAGE and included a digital key somewhere secure, somewhere that I could go and verify, just Debian does with updates, I maybe could tolerate the cleartext. But he clearly didn't (pun alert!)
I enjoy this person's writings, and contributions. I am Linux's biggest fan and research cyber security daily.
I would prefer https.
I prefer a nice cappuccino, but sometimes all that's available is plain black coffee from the shared pot in the canteen (which someone could have tampered with).
But we drink it anyway (at risk) because it's free.
Looking forward to posts links in the series. This seems like a bit of a tease.
2nd 'graph of TFA links five talks on the topic all within the past two years.
Perhaps I misunderstand, but aren't those far above the "So here’s a series of posts" and its bullet list?
[flagged]
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
https://news.ycombinator.com/newsguidelines.html
I'm surprised Firefox didn't warn me when I went to the page. Hostile teleco/MITM waiting for HTTP traffic are a real-world way that nation states deliver exploits.
PKI is basically powerless against nation states executing a targeted MITM attack. It does prevent them from passively snooping everything.
It did for Librewolf -- what I moved to from Firefox. Self-Signed certs I'm down with, http I'm not, and never will be for any reason. Plain-text data transmissions have no acceptable reasoning.
You do realize self-signed certs are useless, could have been tampered with, and could have just as easily been created by a malicious actor?
There's a reason most default self signed certs are called "snake oil".
You can pre-share the certificate out of band, or set up your browser to TOFU like SSH does. Then they are not useless and may be superior to PKI for certain threat models.
You can enable it in the settings.
Posted on December 8, 2025 | Greg K-H
It’s been almost 2 full years since Linux became a CNA⁰ (Certificate Numbering Authority) which meant that we (i.e. the kernel.org community) are now responsible for issuing all CVEs for the Linux kernel. During this time, we’ve become one of the largest creators of CVEs by quantity, going from nothing to number 3 in 2024 to number 1 in 2025. Naturally, this has caused some questions about how we are both doing all of this work, and how people can keep track of it.
I’ve given a number of talks over the past years about this, starting with the Open Source security podcast right after we became¹ a CNA and then the Kernel Recipes 2024 talk, “CVEs are alive, but do not panic”² and then a talk³ at OSS Hong Kong 2024 about the same topic with updated numbers and later a talk at OSS Japan⁴ 2024 with more info about the same topic and finally for 2024 a talk with more detail⁵ that I can’t find the online version.
In 2025 I did lots of work on the CRA⁶ so most of my speaking⁷ over this year has been about that topic , but the CVE assignment work continued on, evolving to meet many of the issues we had in our first year of being a CNA. As that work is not part of the Linux kernel source directly, it’s not all that visable to the normal development process, except for the constant feed on the linux-cve-announce mailing list⁸ I figured it was time to write down how this is all now working, as well a bunch of background information about how Linux is developed that is relevant for how we do CVE reporting (i.e. almost all non-open-source-groups don’t seem to know how to grasp our versioning scheme.)
There is a in-kernel document⁹ that describes how CVEs can be asked for from the kernel community, as well as a basic summary of how CVEs are automatically asigned. But as we are an open community, it’s good to go into more detail as to how all of us do this work, explaining how our tools have evolved over time and how they work, why some things are the way they are for our releases, as well as document a way that people can track CVE assignments on their own in a format that is, in my opinion, much simpler than attempting to rely on the CVE json format (and don’t get me started on NVD…)
So here’s a series of posts going into all of this, hopefully providing more information than you ever wanted to know, which might be useful for other open source projects as they start to run into many of the same issues we have already dealt with (i.e. how to handle reports at scale):
(contents served over SSL, by virtue of YC)0: http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/
1: https://opensourcesecurity.io/2024/02/25/episode-417-linux-k...
2: https://kernel-recipes.org/en/2024/cves-are-alive-but-no-not...
3: https://www.youtube.com/watch?v=at-uDXbX-18
4: https://www.youtube.com/watch?v=KumwRn1BA6s
5: https://ossmw2024.sched.com/event/1sLVt/welcome-keynote-50-c...
6: https://digital-strategy.ec.europa.eu/en/policies/cyber-resi...
7: https://kernel-recipes.org/en/2025/schedule/the-cra-and-what...
8: https://lore.kernel.org/linux-cve-announce/
9: https://www.kernel.org/doc/html/latest/process/cve.html
10: http://www.kroah.com/log/blog/2025/12/09/linux-kernel-versio...
[flagged]
But how do you know, that if kroah.com would use Let's Encrypt it would belong to Greg K-H? What if his true WEB-site would be e.g. greg-k-h.com?
Right. Also, when it comes to the other aspects of TLS, such as preventing middlemen from making sense of what information flows between you and the server, what exactly is the threat in this case? I mean, it's a public blog post, which you only ask to read and so you are served.
It's not about threat, it's about privacy. I understand your statements but 'what is the threat in this case' to answer that: I don't want to know, I've moved on from those worries. Always encrypt.
What privacy? Whoever is watching your traffic can see you accessed their website with HTTPS, they can guess with high accuracy which article you are reading based on the response size.
Objectively better than serving 12MB of JavaScript slop, trackers, and "analytics" over HTTPS so you can share a recipe for flan.
Greg K-H has more credibility than 99% of posters here.
He's literally the #2 guy in Linuxworld (behind Linus). What have you done?
You enumerated the security risks of clear text transmission over the Internet and everything came up green because the blogger works on Linux?
If you are too afraid to click a cleartext HTTP link then don't; it's not for you. Just spare the rest of us the melodrama.
While you are at it, better not ever update Debian or any number of other OSes because their updates are served over plain HTTP.
You almost had a great point here. If he began every blog rant with BEGIN PGP SIGNED MESSAGE and included a digital key somewhere secure, somewhere that I could go and verify, just Debian does with updates, I maybe could tolerate the cleartext. But he clearly didn't (pun alert!)
I enjoy this person's writings, and contributions. I am Linux's biggest fan and research cyber security daily.
I would prefer https.
I prefer a nice cappuccino, but sometimes all that's available is plain black coffee from the shared pot in the canteen (which someone could have tampered with).
But we drink it anyway (at risk) because it's free.
This blog post, brought to you by the man who wants to burn down the CVE system https://lwn.net/Articles/1049140/
To be fair the CVE system can't even encode a version string