December 9, 2025
Kernel drama: CVEs vs JS slop
Linux CVEs, more than you ever wanted to know
Linux security list blows up; fans argue over scary bugs, plain webpages, and Greg’s clout
TLDR: Linux now hands out its own security IDs and tops the charts for CVE volume in 2025. Comments erupted over whether high counts mean transparency or trouble, plus a side brawl over plain HTTP vs heavy “secure” sites—while Greg K‑H’s credibility and past CVE critiques fueled the heat.
Linux’s CVE factory is now in-house—and on fire. Greg Kroah‑Hartman says the kernel community is issuing the bug IDs themselves (CVE = a public ID for a security flaw; CNA = the group handing them out), making Linux the top CVE creator by 2025. Cue the comments: some called the post a tease for promising a series without links, while others fixated on the site’s old‑school HTTP, warning about snoops and pop‑ups. The spiciest take? A link calling Greg “the man who wants to burn down the CVE system” here, implying he’s done with confusing databases and inflated numbers. Defenders clapped back: simple pages beat “12MB of JavaScript slop,” and Greg—“the #2 guy behind Linus”—has more credibility than most drive‑by critics. The core fight: does being #1 in CVEs mean Linux is riddled with holes, or just brutally transparent and fast at labeling fixes? Greg’s message says: CVEs are alive, don’t panic, and the crowd split between security purists (HTTPS or bust!) and minimalists (plain HTML forever). Jokes flew about Firefox sirens, a “no‑JS flan recipe,” and the eternal struggle: the CVE buffet vs the NVD salad. Internet drama level: sizzling
Key Points
- •Linux became a CNA nearly two years ago, making kernel.org responsible for issuing CVEs for the Linux kernel.
- •By volume, Linux CVE assignments rose to #3 in 2024 and #1 in 2025, prompting interest in process and tracking.
- •Multiple talks in 2024 (Open Source Security podcast, Kernel Recipes, OSS Hong Kong, OSS Japan) covered the evolving CVE process.
- •In 2025, work on the Cyber Resilience Act dominated speaking, while CVE assignment continued and matured; updates appear on linux-cve-announce.
- •A series of posts will detail tools, workflows, versioning, and a simpler CVE tracking approach than CVE JSON, with an in-kernel doc guiding requests and auto-assignment.