Re: [PATCH] Documentation/security-bugs: overhaul

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mauro Carvalho Chehab <mchehab@kernel.org>
To: Jonathan Corbet <corbet@lwn.net>
Cc: Vegard Nossum <vegard.nossum@oracle.com>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	Amit Shah <aams@amazon.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"Gustavo A . R . Silva" <gustavoars@kernel.org>,
	Jiri Kosina <jkosina@suse.cz>, Kees Cook <keescook@chromium.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Solar Designer <solar@openwall.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Thorsten Leemhuis <linux@leemhuis.info>,
	Will Deacon <will@kernel.org>, Willy Tarreau <w@1wt.eu>
Subject: Re: [PATCH] Documentation/security-bugs: overhaul
Date: Sat, 4 Jun 2022 01:43:17 +0100	[thread overview]
Message-ID: <20220604014317.79eb23db@sal.lan> (raw)
In-Reply-To: <87fsko48xh.fsf@meer.lwn.net>

Em Wed, 01 Jun 2022 10:58:50 -0600
Jonathan Corbet <corbet@lwn.net> escreveu:

> Vegard Nossum <vegard.nossum@oracle.com> writes:
> 
> > The current instructions for reporting security vulnerabilities in the
> > kernel are not clear enough, in particular the process of disclosure
> > and requesting CVEs, and what the roles of the different lists are and
> > how exactly to report to each of them.
> >
> > Let's give this document an overhaul. Goals are stated as a comment at
> > the top of the document itself (these will not appear in the rendered
> > document).  
> 
> OK, some other thoughts...
> 
> [...]
> 
> > +Linux kernel security team at security@kernel.org, henceforth "the
> > +security list". This is a closed list of trusted developers who will
> > +help verify the bug report and develop a patch.
> > +
> > +While the security list is closed, the security team may bring in
> > +extra help from the relevant maintainers to understand and fix the
> > +security vulnerability.
> > +
> > +Note that the main interest of the kernel security list is in getting
> > +bugs fixed; CVE assignment, disclosure to distributions, and public
> > +disclosure happens on different lists with different people.  
> 
> Adding "as described below" or some such might be helpful for readers
> who are mostly interested in those things.  
> 
> > +Here is a quick overview of the various lists:
> > +
> > +.. list-table::
> > +   :widths: 35 10 20 35
> > +   :header-rows: 1
> > +
> > +   * - List address
> > +     - Open?
> > +     - Purpose
> > +     - Members
> > +   * - security@kernel.org
> > +     - Closed
> > +     - Reporting; patch development
> > +     - Trusted kernel developers
> > +   * - linux-distros@vs.openwall.org
> > +     - Closed
> > +     - Coordination; CVE assignment; patch development, testing, and backporting
> > +     - Linux distribution representatives
> > +   * - oss-security@lists.openwall.com
> > +     - Public
> > +     - Disclosure
> > +     - General public  
> 
> Please don't use list-table, that's totally unreadable in the plain-text
> format.  How about something like:
> 
>  =============================== ===== ================= ===============
>  List address                    Open? Purpose           Members
>  =============================== ===== ================= ===============
>  security@kernel.org                no Reporting         Trusted kernel
>                                                          developers
>                                        Patch development
>  linux-distros@vs.openwall.org      no Coordination      Distribution 
>                                                          representatives
>                                        CVE assignment
>                                        Patch development
>                                        Testing
>                                        Backporting
>  oss-security@lists.openwall.com   yes Disclosure        General public
>  =============================== ===== ================= ===============
> 
> (Note I haven't tried to format this, there's probably an error in there
> somewhere). 

Yeah, I guess the right syntax is something like:

  =============================== ===== ================= ===============
  List address                    Open? Purpose           Members
  ------------------------------- ----- ----------------- ---------------
  security@kernel.org                no Reporting         Trusted kernel
                                                          developers
                                        Patch development
  linux-distros@vs.openwall.org      no Coordination      Distribution 
                                                          representatives
                                        CVE assignment

                                        Patch development

                                        Testing

                                        Backporting
  oss-security@lists.openwall.com   yes Disclosure        General public
  =============================== ===== ================= ===============

Regards,
Mauro

     prev parent reply	other threads:[~2022-06-04  0:43 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-31 23:03 [PATCH] Documentation/security-bugs: overhaul Vegard Nossum
2022-06-01  3:12 ` Willy Tarreau
2022-06-02 15:34   ` Vegard Nossum
2022-06-03  6:49     ` Willy Tarreau
2022-06-06 14:21       ` Vegard Nossum
2022-06-06 15:07         ` Willy Tarreau
2022-06-01 13:38 ` Jonathan Corbet
2022-06-01 16:58 ` Jonathan Corbet
2022-06-02 17:53   ` Vegard Nossum
2022-06-04  0:43   ` Mauro Carvalho Chehab [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220604014317.79eb23db@sal.lan \
    --to=mchehab@kernel.org \
    --cc=aams@amazon.com \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@linux.intel.com \
    --cc=dwmw@amazon.co.uk \
    --cc=gregkh@linuxfoundation.org \
    --cc=gustavoars@kernel.org \
    --cc=jkosina@suse.cz \
    --cc=keescook@chromium.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@leemhuis.info \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=solar@openwall.com \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=vegard.nossum@oracle.com \
    --cc=w@1wt.eu \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.