From: Greg KH <greg@kroah.com>
To: Sasha Levin <sashal@kernel.org>
Cc: ksummit@lists.linux.dev
Subject: Re: [MAINTAINERS SUMMIT] Scaling our security process
Date: Fri, 17 Jul 2026 06:59:26 +0200 [thread overview]
Message-ID: <2026071715-electable-swarm-3400@gregkh> (raw)
In-Reply-To: <alj2AX17zXFMIjZW@laps>
On Thu, Jul 16, 2026 at 11:17:21AM -0400, Sasha Levin wrote:
> On Wed, Jul 15, 2026 at 06:43:04AM +0200, Greg KH wrote:
> > One comment about something I've been working on lately:
> >
> > On Tue, Jul 14, 2026 at 07:54:58PM -0400, Sasha Levin wrote:
> > > 1. Does security@ still work? It was built for a handful of carefully written
> > > reports, handled start to finish by a small group of volunteers. That process
> > > never really scaled before, and it won't scale now. Does it make sense to
> > > separate the roles? let AI driven tooling handle intake, filtering, and
> > > reproduction, and keep the humans for developing and coordinating fixes for
> > > reports that survive triage?
> >
> > It was not really "built" for anything other than a place that people
> > could report security bugs and get them fixed. We have changed the way
> > it works over the past months, and for right now, things seem _MUCH_
> > smoother than ever before.
> >
> > Also, we are getting funding "any day now" to have someone work full
> > time on this, to be the "point person" for the alias to help when things
> > fall through the cracks, as sometimes happens. We have verbal
> > guarantees of at least 6 months funding, and if that goes well, it
> > should be extended.
>
> It almost sounds like we need a CRM system here rather than a person?
Hah, no, any single-point-of-failure here would not be a good thing.
> > LLMs really can't be used for security@ EXCEPT if you use a local model,
> > due to the "interesting" legal rules that security@ has to operate
> > under. We've been using it there for a while now, when needed, and it
> > has helped to spit out "first cut" patches for reports that do not
> > contain a patch to start with. That usage is gone way down now that we
> > ask for a patch in the intial report as all of these reports are being
> > generated by a LLM anyway.
> >
> > And attempting to use a LLM to handle intake and filtering just doesn't
> > work. Many people who have experience with being on the recieving end
> > of such a feed have agreed, that isn't the real problem with getting
> > this feed at all. The real problem is unresponsive reporters, and
> > "middlemen" that like to put their company inbetween the reporter of the
> > bug, and us, the fixer of the bug. A LLM just can't do anything there,
> > but I'll let the person who ends up doing the work for this for the next
> > 6 months have their say after they've been on the recieving end of the
> > firehose for a while :)
>
> Ignoring the LLM for a moment, is there value in jumping through all these
> hoops if we don't also end up with backports of the issues that are being
> fixed?
I understand your worry here, but that's a separate issue. First we
need to make sure the patches hit Linus's tree, which is what
security@k.o is for. Then we need to make sure the patches hit stable
kernels, which is what stable@vger is for. Two different groups/goals.
thanks,
greg k-h
next prev parent reply other threads:[~2026-07-17 5:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 23:54 [MAINTAINERS SUMMIT] Scaling our security process Sasha Levin
2026-07-15 4:43 ` Greg KH
2026-07-16 15:17 ` Sasha Levin
2026-07-17 4:59 ` Greg KH [this message]
2026-07-17 15:15 ` Konstantin Ryabitsev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026071715-electable-swarm-3400@gregkh \
--to=greg@kroah.com \
--cc=ksummit@lists.linux.dev \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox