From: Willy Tarreau <w@1wt.eu>
To: Greg KH <greg@kroah.com>
Cc: leon@kernel.org, security@kernel.org,
Jonathan Corbet <corbet@lwn.net>,
skhan@linuxfoundation.org, workflows@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] Documentation: security-bugs: explain what is and is not a security bug
Date: Wed, 29 Apr 2026 05:09:43 +0200 [thread overview]
Message-ID: <afF2d6RzRf2Flnv7@1wt.eu> (raw)
In-Reply-To: <2026042804-overbook-ripeness-73dd@gregkh>
On Tue, Apr 28, 2026 at 03:13:01PM -0600, Greg KH wrote:
> > > We can point at other files, as this list is going to get long over
> > > time, which is a good thing.
> >
> > Sure. I'm just unsure where this could be enumerated, as it's likely
> > that there would be just one or two lines max per subsystem for the
> > majority of them. Or we could have a totally separate file, "threat
> > model", that goes into great lengths detailing all this with sections
> > per category or subsystem when they start to grow maybe, and refer only
> > to that one from security-bugs ?
>
> I think a separate file is good, I know I need to write up what the USB
> model is, and it's different from PCI, and different from other
> subsystems. All should probably be documented eventually.
Would you be interested in me trying to initiate a new "threat-model.rst"
file that tries to unroll the points mentioned in the list ? I'm concerned
that that withuot having many details initially, it could look a bit odd,
because the list we currently have would be more suitable for an "other"
section.
> > > > > (like what the IB subsystem does which I
> > > > > don't think you listed above, or the USB subsystem.)
> > > >
> > > > Indeed I didn't list IB (I'm never sure about it, I seem to remember
> > > > we simply trust any peer, is that right?), nor did I make specific
> > > > mentions for USB which is implicitly covered by "hardware emulation
> > > > or modification".
> > >
> > > Ah, but USB does cover "some" modification of devices, so this is going
> > > to be something that is good to document over time, if for no other
> > > reason to keep these scanning tools in check from hallucinating crazy
> > > situations that are obviously not a valid thing we care about.
> >
> > OK but does this mean you still want to get these reports in the end ?
>
> I want a patch if a user cares about that threat-model (as Android does
> but no one else) as it's up to the user groups that want to change the
> default kernel's behavior like this to actually submit patches to do so.
Yes, OK, but we want them in any case. That's the idea I tried to convey
in the proposed doc (maybe not well enough), basically "this is a bug and
it is worth reporting, but no need to involve s@k.o for this".
thanks,
Willy
next prev parent reply other threads:[~2026-04-29 3:09 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-26 16:39 [PATCH 0/3] Documentation: security-bugs: new updates covering triage and AI Willy Tarreau
2026-04-26 16:39 ` [PATCH 1/3] Documentation: security-bugs: do not systematically Cc the security team Willy Tarreau
2026-04-27 13:49 ` Greg KH
2026-04-27 15:24 ` Willy Tarreau
2026-04-27 15:33 ` Greg KH
2026-04-27 16:09 ` Willy Tarreau
2026-04-26 16:39 ` [PATCH 2/3] Documentation: security-bugs: explain what is and is not a security bug Willy Tarreau
2026-04-26 19:33 ` Randy Dunlap
2026-04-27 13:48 ` Greg KH
2026-04-27 15:27 ` Willy Tarreau
2026-04-27 15:35 ` Greg KH
2026-04-27 16:14 ` Willy Tarreau
2026-04-28 21:13 ` Greg KH
2026-04-29 3:09 ` Willy Tarreau [this message]
2026-04-29 6:10 ` Greg KH
2026-05-01 13:57 ` Willy Tarreau
2026-05-02 5:20 ` Demi Marie Obenour
2026-05-02 5:35 ` Willy Tarreau
2026-05-02 5:51 ` Demi Marie Obenour
2026-05-02 6:07 ` Willy Tarreau
2026-05-02 6:27 ` Demi Marie Obenour
2026-04-26 16:39 ` [PATCH 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports Willy Tarreau
2026-04-26 19:36 ` Randy Dunlap
2026-04-27 2:22 ` Willy Tarreau
2026-04-27 13:50 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afF2d6RzRf2Flnv7@1wt.eu \
--to=w@1wt.eu \
--cc=corbet@lwn.net \
--cc=greg@kroah.com \
--cc=leon@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.