This does seem like the pretty obvious and inevitable outcome. Determining if a bug fix has security implications and if so how severe they are is often very difficult and all that you can confidently say is that you don’t know how to exploit it. Downstream consumers have tried to pressure the kernel maintainers into deciding which fixes need to be backported by demanding CVEs, but now they’re running into the problem of that they didn’t actually ask for the thing they really wanted since they knew that request would be (and has been) denied.
reply