Nope. That's why I changed all my players to BlueOS.

I replaced all my SONOS connects with BlueSound node Nano devices. A pricey replacement, but worth it.

As a bonus I was now able to turn off SMB1 on my home Samba server !

> Every large NAS vendor (Synology, QNAP, etc) has their own SMB server they wrote themserlves

That's untrue. Both Synology and QNAP use Samba. QNAP contributes code and bugfixes back to samba.org (Hi Jones !).

The upstream Linux kernel doesn't differentiate between security bugs and "normal" bug fixes. So the new kernel.org CNA just assigns CVE's to all fixes. They don't score them.

Look at the numbers from the whitepaper:

"In March 2024 there were 270 new CVEs created for the stable Linux kernel. So far in April 2024 there are 342 new CVEs:"

Yes ! That's exactly the point. Trying to curate and select patches for a "frozen" kernel fails due to the firehose of fixes going in upstream.

And in the kernel many of these could be security bugs. No one is doing evaluation on that, there are simply too many fixes in such a complex code base to check.

Oh that's really sad. I hope they use a more up to date version of Samba :-).

I don't see that argument in the blog or paper.

Did you read them ?

There are many more unfixed bugs in vendor kernels than in upstream. That's what the data shows.

You're missing something.

New bugs are discovered upstream, but the vendor kernel maintainers either aren't tracking, or are being discouraged from putting these back into the "frozen" kernel.

We even discovered one case where a RHEL maintainer fixed a bug upstream, but then neglected to apply it to the vulnerable vendor kernel. So it isn't like they didn't know about the bug. Maybe they just didn't check the vendor kernel was vulnerable.

I'm guessing management policy discouraged such things. It's easier to just ignore such bugs if customer haven't noticed.

Gordon, Gordon, don't you ever get tired of your obsession ?

"Towards thee I roll, thou all-destroying but unconquering whale; to the last I grapple with thee; from hellâ(TM)s heart I stab at thee; for hateâ(TM)s sake I spit my last breath at thee."

Very astute comment. The white paper shows that the frozen "vendor" kernel model really doesn't work. And if people can't / won't upgrade then maybe alternative security precautions around a known insecure kernel is the best we can do.

I'm just gonna leave this here..

https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3F...

I'm going to attack your post here. But I don't intend this as a personal attack; you may very well be arguing in good faith, just from outdated information. Being even a few years behind - and your citation of a decade-old book suggests you're farther behind than that - means you've missed out on a ton of new information about the practical scale of renewable power (did you know that worldwide we're installing almost 1.5GW of solar power EVERY DAY OF THE YEAR these days?).

> In the USA we've had decades of nuclear fission providing something like 20% of our electricity and with each closing of a nuclear power plant there's increased use of fossil fuels to replace them.

Coal use in the US has been plummeting (down 680TWh in the last decade), and rising natural gas use (up 460TWh in the last decade) is only offsetting about half that fall. You may be interested to read the EIA's annual report: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.eia.gov%2Felectricit... (see, particularly, chapter 3). And renewables provide about 3x as much annual energy as nuclear plants do, per dollar spent (using un-subsidized prices: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.lazard.com%2Fmedia%2F2...). So your argument that spending money on new nuclear plants is reducing carbon emissions is untrue.

> Uranium and thorium is stored energy, stores of energy upon which we can draw from as desired.

Also not true. Sure, uranium and thorium store quite a lot of energy. But we can't draw on them "as desired." We can draw on them with about three days' warning, assuming the plant's fueled, maintained, and waiting to start up. Nuclear power does not provide a backup to a renewable grid, unless that grid already has sufficient storage that you can forecast a need for a nuclear backstop 3+ days in advance. And if you think we're *not* going to have a renewable grid, you haven't been paying attention to how incredibly cheap renewables are. 94% of planned capacity additions to the US grid in 2024 are solar, wind, and batteries. Everything else combined is 6%. See EIA again: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.eia.gov%2Ftodayinene... But even that is an understatement of how renewables-dominated the grid pipeline is, because it ignores planned retirements. Coal, oil, natural gas, and nuclear power capacity are ALL forecast to fall this year as new capacity fails to offset retirements. New renewables are not only supplying the new energy required as grid demand rises, but are now displacing existing capacity.

And this year isn't a fluke, it's a continuation of a developing theme: cheap power sources get built. Check out the forecasts through 2027: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.eia.gov%2Felectricit... Coal: down 32GW. Gas: up 5GW. Wind: up 30GW. Solar: up 100GW.

> This isn't because people hate clean air and a stable climate but because renewable energy cannot reliably provide energy when and where it is needed.

Why do you think that's true? We have ample modeling from research teams throughout the world all pointing to the same conclusion: there are tons of different ways to provide 100% supply/demand matching with different amounts of overbuilding and/or storage (and some amount of demand response would be even cheaper, but isn't technically necessary) - the "renewables work fine" conclusion is not sensitive to how the build-out proceeds. And we have practical examples of it working in the real world: e.g. South Australia which was 71% renewable-powered over the entire year last year, despite its tiny geographic footprint, weak interconnections with other states, and almost no storage at all. And they're targeting net 100% renewable electricity just THREE YEARS from now, enabled by a connection to NSW coming online, and a bit of new battery development. Fully one quarter of the time, the state's at or above 100% renewables, so clearly the predicted stability and grid control problems are surmountable: it's just a matter of building enough generation to supply the bulk energy, and then some combination of transmission and energy storage to match supply and demand.

And that's precisely what will happen. Any utility that wants new bulk energy will build wind and solar, because they can rely on 'free' load matching from gas plants ramping up and down, so it's extra cheap. The learning rate will drive down the cost of wind and solar even further, meaning they'll continue to be built, even after we've built so much of them that sometimes they get curtailed, because that will still be cheaper than building any of the alternatives. Then, during the day, everything non-solar will have to ramp down to make way for cheap solar power because it has the cheapest marginal cost and ample supply. And that means that plants that can't ramp much (coal) or at all (nukes) will either have to bid less than zero (see what's happening in Australia...) in order to be allowed to run so that they can supply energy into the evening peak, or they'll be forced to close (see...Australia). This happens gradually: their profitability keeps slipping year after year until their owners give up and quit. Note that it's already cheaper to build a brand new PV plant (in much of the world) to generate electricity than it is to simply keep operating an existing already-paid-for coal, gas, or nuclear plant (LCOE for new generation vs short-run marginal cost for coal, gas, nukes).

So now we have renewables and gas, but gas is increasingly expensive because its capacity factor keeps falling and the operators need to pay off their CAPEX. Enter: batteries (and CAES, PHS, normal hydro, etc.) which will increasingly cut further into gas's profitability by relegating gas plants to an increasingly marginal role providing extremely expensive peaking power, but little bulk energy. Which is TOTALLY FINE! A huge fleet of cheap-to-build, inefficient open cycle gas turbines operating for 100 hours a year to get us from 99% to 99.99% served energy is TOTALLY FINE. We just need to stop running them year-round to provide bulk energy.

I've presented this as a series of steps, but of course all these things will be - already are - happening gradually, and together, over the next few decades. The fossil fuel industry is mortally wounded but still alive; in a decade or so it'll be dead but still twitching; hopefully in two decades it'll be fully buried (and/or dug up: did you know that the oil and gas pipelines in the US have enough steel in them to satisfy two full years of nation-wide steel demand? More than enough to build all the wind turbine towers we'll need!).