@wolf480pl @joshbressers @gregkh I don't think a negative externality has to affect *everyone*. We can argue about who are 1st, 2nd, and 3rd parties in this game, but in the end suboptimal vulnerability management (caused by arguably bullshit CVEs) definitely hurt the security of end users who don't have a say about which vendors their service provider choose (not that there are many orgs out there today who can run without Linux, so this demand is a bit unrealistic too).