From: Kees Cook <keescook@chromium.org>
To: Will Deacon <will@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
security@kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
Date: Thu, 9 Jul 2020 15:17:02 -0700 [thread overview]
Message-ID: <202007091515.EC09267FC@keescook> (raw)
In-Reply-To: <20200709204255.GA29288@willie-the-truck>
On Thu, Jul 09, 2020 at 09:42:56PM +0100, Will Deacon wrote:
> On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> > The security contact list gets regular reports contained in archive
> > attachments. This tends to add some back-and-forth delay in dealing with
> > security reports since we have to ask for plain text, etc.
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> > index dcd6c93c7aac..c32eb786201c 100644
> > --- a/Documentation/admin-guide/security-bugs.rst
> > +++ b/Documentation/admin-guide/security-bugs.rst
> > @@ -21,11 +21,18 @@ understand and fix the security vulnerability.
> >
> > As it is with any bug, the more information provided the easier it
> > will be to diagnose and fix. Please review the procedure outlined in
> > -admin-guide/reporting-bugs.rst if you are unclear about what
> > +:doc:`reporting-bugs` if you are unclear about what
> > information is helpful. Any exploit code is very helpful and will not
> > be released without consent from the reporter unless it has already been
> > made public.
> >
> > +Please send plain text emails without attachments where possible.
> > +It is much harder to have a context-quoted discussion about a complex
> > +issue if all the details are hidden away in attachments. Think of it like a
> > +:doc:`regular patch submission <../process/submitting-patches>`
> > +(even if you don't have a patch yet): describe the problem and impact, list
> > +reproduction steps, and follow it with a proposed fix, all in plain text.
> > +
>
> Acked-by: Will Deacon <will@kernel.org>
Thanks!
>
> Hopefully "plain text" implies unencrypted as much as it does "not html".
I decided not to write a paragraph about how security@ isn't a
role-account with a separate GPG key etc etc. Those cases are rare
enough that I don't think it (yet) warrants a paragraph here. I want to
strike a balance between "all your questions are answered" and "there's
too much here for me to find the answer to my question". :)
--
Kees Cook
next prev parent reply other threads:[~2020-07-09 22:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
2020-07-09 20:42 ` Will Deacon
2020-07-09 22:17 ` Kees Cook [this message]
2020-07-10 3:45 ` Willy Tarreau
2020-07-10 10:37 ` Peter Zijlstra
2020-07-09 22:50 ` Jiri Kosina
2020-07-09 23:03 ` Gustavo A. R. Silva
2020-07-10 6:49 ` Greg Kroah-Hartman
2020-07-10 10:36 ` Peter Zijlstra
2020-07-13 15:37 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202007091515.EC09267FC@keescook \
--to=keescook@chromium.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.