报告大幅增加

报告大幅增加
Significant raise of reports

最近的讨论强调漏洞报告显著增加，可能让维护者不堪重负。有人将其与Syzbot进行比较，Syzbot目前有1300个未解决的问题。一位评论员指出一个令人担忧的趋势：串联利用漏洞以强制优先级，将其归类为安全问题以获取关注。然而，也有希望这种增加代表着长期积压的清理，前提是合并前进行更严格的代码审查。一个关键的建议是利用人工智能——例如内存管理子系统正在试点中的Sashiko工具——主动提高代码质量，并防止漏洞一开始就被引入，而不是仅仅对大量报告做出反应。这种报告速度的长期可持续性仍不确定。

Posted Mar 31, 2026 17:11 UTC (Tue) by wtarreau (subscriber, #51152)
Parent article: Vulnerability Research Is Cooked (sockpuppet.org)

to post comments

Significant raise of reports

Posted Mar 31, 2026 17:31 UTC (Tue) by gf2p8affineqb (subscriber, #124723) [Link] (1 responses)

How does this compare to Syzbot? I see there are 1300 open issues right now on its dashboard.

Significant raise of reports

Posted Mar 31, 2026 17:49 UTC (Tue) by hailfinger (subscriber, #76962) [Link]

The easiest way to get attention to the backlog of syzbot reports (but absolute worst way to overload maintainers) is using them in an exploit chain. I expect that to happen pretty soon (or maybe it is already happening).
It's the old method of framing bugs as security bugs to get attention.

Significant raise of reports

Posted Mar 31, 2026 19:28 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link]

I don't know how long this pace will last. I suspect that bugs are reported faster than they are written, so we could in fact be purging a long backlog (and I hope so).

This makes sense, and the key way of making sure the bug reports are primarily about purging a backlog is to apply the same kind of scrutiny to code before it ever gets merged. Basically, the key is to use AI to improve code quality (both already merged and pre-merge) rather than just spamming as much new stuff as possible. This matches up very well with the article on Andrew Morton trying to make Sashiko a required part of submissions to the memory management subsystem.

Significant raise of reports

Posted Mar 31, 2026 20:36 UTC (Tue) by fw (subscriber, #26023) [Link] (1 responses)

Significant raise of reports

Posted Mar 31, 2026 21:16 UTC (Tue) by wtarreau (subscriber, #51152) [Link]