Non-determinism is an issue with patching CVEs (opens in new tab)

(flox.dev)

44 pointsmathewpregasen1d ago12 comments

12 comments

Reads kind of sales-pitchy. Every day we see another actively exploited Linux LPE; have you thought about your SBOM today?

ohnei1d ago

I like nix and its approach but if I'm being honest I think its also getting easier to be sloppy about dependencies and ask AI to find any dependencies that might be missing from the cleanly installed packaging metadata. There's maybe a paradox for developers in that we can try to drop structure and brute force scan first intensively enough to catch anything likely to get caught or we can ask AI to finally apply all the rigorous methods we decided were too expensive for routine software and probably have minimally more things to run with each release.

ronef1d ago

I feel we should definitely be digging way beyond the SBOM... but also wondering if the forecasting in the general ecosystem is on point or not.

ronef1d ago

I.e. is this overhyped?

tremon1d ago

Are you offering an easy fix for that "Linux" line on your SBOM?

tptacek1d ago

No, I'm making an aesthetic critique of a promotional blog post, as an author of commercial technical blog posts myself.

edelbitter1d ago

I found that reducing my "Linux" lines from ~21000 (including net-pf-16-proto-21) down to those ~3000 I might actually use (e.g. udp_tunnel) to be a fairly effective method of not having to care about each and every newly discovered memory safety hazard.

1 more reply

jambay1d ago

There has been so much discussion about the increase of volume in CVEs. I love that it's super apparent from looking at that graph of CVEs by year, there is a noticeable bend in the slope upward in the 2026 plot. It's not just hype, the rate of CVEs is changing faster than prior years.

LoganDark1d ago

That is not the title of the article:

> Achieving CVE Remediation in an Era of Escalating Vulnerabilities

j / k navigate · click thread line to collapse