From: Kees Cook <keescook@chromium.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Krzysztof Kozlowski <krzk@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
Marek Szyprowski <m.szyprowski@samsung.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Brooke Basile <brookebasile@gmail.com>,
Felipe Balbi <balbi@kernel.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Subject: Re: [PATCH 2/2] docs: admin-guide: Not every security bug should be kept hidden
Date: Thu, 27 Aug 2020 10:54:47 -0700 [thread overview]
Message-ID: <202008271053.A28980248@keescook> (raw)
In-Reply-To: <20200827121123.GC417381@kroah.com>
On Thu, Aug 27, 2020 at 02:11:23PM +0200, Greg Kroah-Hartman wrote:
> On Thu, Aug 27, 2020 at 12:53:19PM +0200, Krzysztof Kozlowski wrote:
> > --- a/Documentation/admin-guide/security-bugs.rst
> > +++ b/Documentation/admin-guide/security-bugs.rst
> > @@ -78,6 +78,12 @@ include linux-distros from the start. In this case, remember to prefix
> > the email Subject line with "[vs]" as described in the linux-distros wiki:
> > <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
> >
> > +Fixes for non-exploitable bugs which do not pose a real security risk, should
> > +be disclosed in a regular way of submitting patches to Linux kernel (see
> > +:ref:`Documentation/process/submitting-patches.rst <submitting-patches>`).
> > +Just because patch fixes some off-by-one or NULL pointer exception, does not
> > +classify it as a security bug which should be discussed in closed channels.
>
> I said this on another thread, but almost always, when we get reports
> like this on security@k.o, we do push them back to public lists.
>
> For the most part, this paragraph is not going to help much (mostly for
> the reason that no one seems to read it, but that's a different
> topic...) We get crazy reports all the time, and that's fine, because
> sometimes, there is a real issue in some of them. And for that, we do
> want to be careful. We also have many docuemented "off-by-one" bugs
> that were real security issues (there's a blog post somewhere about how
> a developer turned such a bug into a root hole, can't find it right
> now...)
>
> So while I understand the temptation here, based on the current
> security@k.o traffic, I doubt this will really change much :(
And given our relatively low traffic, I'd rather we (the
security@kernel.org folks) make the determination if things should be
public or private. We should be the ones on the hook for those judgement
calls, not the reporter reading our documentation. :)
--
Kees Cook
next prev parent reply other threads:[~2020-08-27 17:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 10:53 [PATCH 1/2] docs: process: Add cross-link to security-bugs Krzysztof Kozlowski
2020-08-27 10:53 ` [PATCH 2/2] docs: admin-guide: Not every security bug should be kept hidden Krzysztof Kozlowski
2020-08-27 12:11 ` Greg Kroah-Hartman
2020-08-27 13:10 ` Krzysztof Kozlowski
2020-08-27 17:54 ` Kees Cook [this message]
2020-08-27 12:07 ` [PATCH 1/2] docs: process: Add cross-link to security-bugs Greg Kroah-Hartman
2020-08-27 13:28 ` Felipe Balbi
2020-08-31 22:28 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202008271053.A28980248@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=b.zolnierkie@samsung.com \
--cc=balbi@kernel.org \
--cc=brookebasile@gmail.com \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=konstantin@linuxfoundation.org \
--cc=krzk@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.