A hands-on look at CVE patching and support lifecycles and why your choice of binaries shapes the reliability and predictability of production systems.
How fast is RedHat CVE patching compared to Tanzu on average?
I am really convinced that a secured supply-chain is crucial for enterprise.
I am asking the question for the sake of balance in the analyse.
The article repeats that for Tanzu you have to wait the upstream maintainer and then the bom update to get the CVE fix. That give the feeling that it's a slow process. On the other side, the time to deliver is not mentioned for RedHat.
That is a good question. Here's the overview (Table 3). It depends on severity. They are only published in retrospective. I couldn't find one for 2024. Might need to dig around a little more. Should give you a first idea.
At the contrary, the documented commitment to resolve CVE's at Tanzu that I have found on Broadcom's site is vage.
For example, they are writing that "Critical [CVE]: Begin work on a fix or corrective action immediately and provide the fix to customers in the shortest commercially reasonable time."
I mean, as software engineer, I totally get it. Hard to "promise" and even harder as a company to "commercially commit" to something. So I ain't judge anyone not disclosing this.
How fast is RedHat CVE patching compared to Tanzu on average?
I am really convinced that a secured supply-chain is crucial for enterprise.
I am asking the question for the sake of balance in the analyse.
The article repeats that for Tanzu you have to wait the upstream maintainer and then the bom update to get the CVE fix. That give the feeling that it's a slow process. On the other side, the time to deliver is not mentioned for RedHat.
That is a good question. Here's the overview (Table 3). It depends on severity. They are only published in retrospective. I couldn't find one for 2024. Might need to dig around a little more. Should give you a first idea.
https://www.redhat.com/en/resources/product-security-risk-report-2023
Thank you. At least RedHat gives a clear insigh.
At the contrary, the documented commitment to resolve CVE's at Tanzu that I have found on Broadcom's site is vage.
For example, they are writing that "Critical [CVE]: Begin work on a fix or corrective action immediately and provide the fix to customers in the shortest commercially reasonable time."
https://knowledge.broadcom.com/external/article/405328/tanzu-external-vulnerability-response-an.html
I mean, as software engineer, I totally get it. Hard to "promise" and even harder as a company to "commercially commit" to something. So I ain't judge anyone not disclosing this.