Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Solar Designer <solar@openwall.com>
To: Kees Cook <keescook@chromium.org>
Cc: Sasha Levin <sashal@kernel.org>,
	corbet@lwn.net, will@kernel.org, peterz@infradead.org,
	gregkh@linuxfoundation.org, tyhicks@canonical.com,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros
Date: Fri, 19 Jul 2019 10:42:15 +0200	[thread overview]
Message-ID: <20190719084215.GA24691@openwall.com> (raw)
In-Reply-To: <201907181833.EF0D93C@keescook>

On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote:
> On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > > Provide more information about how to interact with the linux-distros
> > > > mailing list for disclosing security bugs.
> > > > 
> > > > Reference the linux-distros list policy and clarify that the reporter
> > > > must read and understand those policies as they differ from
> > > > security@kernel.org's policy.
> > > > 
> > > > Suggested-by: Solar Designer <solar@openwall.com>
> > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > 
> > > Sorry, but NACK, see below...

I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then
I suggest that we apply Sasha's first revision of the patch instead.
I think either revision is an improvement on the status quo.

> I think reinforcing information to avoid past mistakes is appropriate
> here.

Maybe, but from my perspective common past issues with Linux kernel bugs
reported to linux-distros were:

- The reporter having been directed to post from elsewhere (and I
suspect this documentation file) without being aware of list policy.

- The reporter not mentioning (and sometimes not replying even when
asked) whether they're also coordinating with security@k.o or whether
they want someone on linux-distros to help coordinate with security@k.o.
(Maybe this is something we want to write about here.)

- The Linux kernel bug having been introduced too recently to be of much
interest to distros.

> Reports have regularly missed the "[vs]" detail or suggested
> embargoes that ended on Fridays, etc.

This happens too.  Regarding missing the "[vs]" detail, technically
there are also a number of other conditions that also let the message
through, but those are changing and are deliberately not advertised.

> Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> distros.

Right.

> This has caused leaks in the past

Do you mean leaks to *BSD security teams or to the public?  I'm not
aware of past leaks to the public via the non-Linux distros present on
the distros@ list.  Are you?

Alexander

next prev parent reply	other threads:[~2019-07-19  8:42 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-17 23:11 [PATCH v2] Documentation/security-bugs: provide more information about linux-distros Sasha Levin
2019-07-18  9:40 ` Will Deacon
2019-07-18 14:14   ` Solar Designer
2019-07-18 22:00 ` Kees Cook
2019-07-19  0:39   ` Sasha Levin
2019-07-19  1:51     ` Kees Cook
2019-07-19  3:41       ` Sasha Levin
2019-07-19  8:42       ` Solar Designer [this message]
2019-07-23 22:23         ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190719084215.GA24691@openwall.com \
    --to=solar@openwall.com \
    --cc=corbet@lwn.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=keescook@chromium.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=sashal@kernel.org \
    --cc=tyhicks@canonical.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.