Actually, does it? Yes, the obvious upside when I type in slack.com instead of 123.45.56.67 is very good. Does this same upside apply to addresses I don't type in? What's actually the advantage of addressing one of foobarcorp's infinitude of servers uasing the string "123-45-57-78.slp05.mus.foobar.com" instead of "123.45.57.78"? It seems to just waste bytes. And most communication is of the latter sort - an app talking to its own servers managed by the same company.
BGP can be hijacked. Anycast IPs exist. Rolling out a new release when one of your IPs is unavailable could be a severe challenge. SVC records are actually kinda neat.
All of that's a problem with DNS too, even updating the IP. You could still use it to get the initial entry point if you wanted. But when you serve a webpage with an automatically generated pointer to image3.yourdomain, the only reason not to make that an IP is HTTPS, and LE just started issuing IP address certificates. Think about it - it saves a few round trips.
If it was easy I would expect 5-10% if people would probably do it, much like alternate desktop installs
This would mean millions of devices
You mention Graphene is more secure so what exactly am I gaining from not being able to install it other than my phone being trash once it's out of support
> What about having several use cases in mind, and give the scores for each of those?
i imagine the same reason they don't score for 1, it takes time that could be allocated elsewhere
tbh i think scoring for multiple scenarios would take more time and be less useful. kernel devs are not implementors, they may have never used docker or built a cut down kernel for an iot device, they just build a general purpose kernel
And not scoring means that the security triage teams everywhere have to spend their time to assess the severity on their own, and in doing so, they mostly duplicate each other's work while deduplication is nigh impossible. Is this a worthwhile trade?
Consider e.g. vehicle recalls: the manufacturer could very well (baring legal requirements and general public's expectation) just leave it to the customers and the repairmen out there to discover and deal with the defects on their own.
> kernel devs are not implementors, they may have never used docker or built a cut down kernel for an iot device, they just build a general purpose kernel
Well that's a pretty condescending look upon the kernel maintainers. Making a successful general-purpose kernel (nevermind making a general-purpose kernel that also has a lot of quite specific affordances for custom scenarios) still requires understanding of how it will be used.
> And not scoring means that the security triage teams everywhere have to spend their time to assess the severity on their own,
We have to do that anyway because a worst case assessment is almost never worst case or even close.
CVSS is just the wrong tool for the job anyway. It's like assessing individual car parts on dimensions like "steering" and "acceleration" when most parts have no direct relationship to the completed product's high level qualities. And then you construct "worst case" stories that go "well, in the event that you are not steering while accelerating sharply, a fault in this seat cover could make that whole thing worse and cause a fatal crash: CVSS 9.9!"
The algorithm is not optimised for meaningful interactions, even 10 years ago i couldn't get it to even mostly show friends and family after fighting it for a week
The algorithm is optimized to show you content you tend to engage with. You couldnt get it to show you meaningful interaction because you didnt engage with it.
reply