* [PATCH] Documentation/security-bugs: provide more information about linux-distros @ 2019-07-11 16:36 Sasha Levin 2019-07-11 17:07 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Sasha Levin @ 2019-07-11 16:36 UTC (permalink / raw) To: corbet, solar Cc: will, keescook, peterz, gregkh, tyhicks, linux-doc, linux-kernel, Sasha Levin Provide more information about how to interact with the linux-distros mailing list for disclosing security bugs. First, clarify that the reporter must read and accept the linux-distros policies prior to sending a report. Second, clarify that the reported must provide a tentative public disclosure date and time in his first contact with linux-distros. Suggested-by: Solar Designer <solar@openwall.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst index dcd6c93c7aac..c62faced9256 100644 --- a/Documentation/admin-guide/security-bugs.rst +++ b/Documentation/admin-guide/security-bugs.rst @@ -61,14 +61,19 @@ Coordination Fixes for sensitive bugs, such as those that might lead to privilege escalations, may need to be coordinated with the private -<linux-distros@vs.openwall.org> mailing list so that distribution vendors -are well prepared to issue a fixed kernel upon public disclosure of the -upstream fix. Distros will need some time to test the proposed patch and -will generally request at least a few days of embargo, and vendor update -publication prefers to happen Tuesday through Thursday. When appropriate, -the security team can assist with this coordination, or the reporter can -include linux-distros from the start. In this case, remember to prefix -the email Subject line with "[vs]" as described in the linux-distros wiki: +<linux-distros@vs.openwall.org> mailing list so that distribution vendors are +well prepared to issue a fixed kernel upon public disclosure of the upstream +fix. As a reporter, you must read and accept the list's policy as outlined in +the linux-distros wiki: +<https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters>. +When you report a bug, you must also provide a tentative disclosure date and +time in your very first message to the list. Distros will need some time to +test the proposed patch so please allow at least a few days of embargo, and +vendor update publication prefers to happen Tuesday through Thursday. When +appropriate, the security team can assist with this coordination, or the +reporter can include linux-distros from the start. In this case, remember to +prefix the email Subject line with "[vs]" as described in the linux-distros +wiki: <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> CVE assignment -- 2.20.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Documentation/security-bugs: provide more information about linux-distros 2019-07-11 16:36 [PATCH] Documentation/security-bugs: provide more information about linux-distros Sasha Levin @ 2019-07-11 17:07 ` Greg KH 2019-07-11 17:09 ` Will Deacon 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2019-07-11 17:07 UTC (permalink / raw) To: Sasha Levin Cc: corbet, solar, will, keescook, peterz, tyhicks, linux-doc, linux-kernel On Thu, Jul 11, 2019 at 12:36:37PM -0400, Sasha Levin wrote: > Provide more information about how to interact with the linux-distros > mailing list for disclosing security bugs. > > First, clarify that the reporter must read and accept the linux-distros > policies prior to sending a report. > > Second, clarify that the reported must provide a tentative public > disclosure date and time in his first contact with linux-distros. > > Suggested-by: Solar Designer <solar@openwall.com> > Signed-off-by: Sasha Levin <sashal@kernel.org> > --- > Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++-------- > 1 file changed, 13 insertions(+), 8 deletions(-) > > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst > index dcd6c93c7aac..c62faced9256 100644 > --- a/Documentation/admin-guide/security-bugs.rst > +++ b/Documentation/admin-guide/security-bugs.rst > @@ -61,14 +61,19 @@ Coordination > > Fixes for sensitive bugs, such as those that might lead to privilege > escalations, may need to be coordinated with the private > -<linux-distros@vs.openwall.org> mailing list so that distribution vendors > -are well prepared to issue a fixed kernel upon public disclosure of the > -upstream fix. Distros will need some time to test the proposed patch and > -will generally request at least a few days of embargo, and vendor update > -publication prefers to happen Tuesday through Thursday. When appropriate, > -the security team can assist with this coordination, or the reporter can > -include linux-distros from the start. In this case, remember to prefix > -the email Subject line with "[vs]" as described in the linux-distros wiki: > +<linux-distros@vs.openwall.org> mailing list so that distribution vendors are > +well prepared to issue a fixed kernel upon public disclosure of the upstream > +fix. As a reporter, you must read and accept the list's policy as outlined in > +the linux-distros wiki: > +<https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters>. > +When you report a bug, you must also provide a tentative disclosure date and > +time in your very first message to the list. Distros will need some time to > +test the proposed patch so please allow at least a few days of embargo, and > +vendor update publication prefers to happen Tuesday through Thursday. When > +appropriate, the security team can assist with this coordination, or the > +reporter can include linux-distros from the start. In this case, remember to > +prefix the email Subject line with "[vs]" as described in the linux-distros > +wiki: > <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> Do we really need to describe all of the information on how to use the distro list here? That's why we included the link, as it has all of this well spelled out and described. If anything, I would say we should say less in this document about what linux-distros do, as that is independent of the Linux security team. thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Documentation/security-bugs: provide more information about linux-distros 2019-07-11 17:07 ` Greg KH @ 2019-07-11 17:09 ` Will Deacon 2019-07-11 20:35 ` Sasha Levin 0 siblings, 1 reply; 5+ messages in thread From: Will Deacon @ 2019-07-11 17:09 UTC (permalink / raw) To: Greg KH Cc: Sasha Levin, corbet, solar, keescook, peterz, tyhicks, linux-doc, linux-kernel On Thu, Jul 11, 2019 at 07:07:32PM +0200, Greg KH wrote: > On Thu, Jul 11, 2019 at 12:36:37PM -0400, Sasha Levin wrote: > > Provide more information about how to interact with the linux-distros > > mailing list for disclosing security bugs. > > > > First, clarify that the reporter must read and accept the linux-distros > > policies prior to sending a report. > > > > Second, clarify that the reported must provide a tentative public > > disclosure date and time in his first contact with linux-distros. > > > > Suggested-by: Solar Designer <solar@openwall.com> > > Signed-off-by: Sasha Levin <sashal@kernel.org> > > --- > > Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++-------- > > 1 file changed, 13 insertions(+), 8 deletions(-) > > > > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst > > index dcd6c93c7aac..c62faced9256 100644 > > --- a/Documentation/admin-guide/security-bugs.rst > > +++ b/Documentation/admin-guide/security-bugs.rst > > @@ -61,14 +61,19 @@ Coordination > > > > Fixes for sensitive bugs, such as those that might lead to privilege > > escalations, may need to be coordinated with the private > > -<linux-distros@vs.openwall.org> mailing list so that distribution vendors > > -are well prepared to issue a fixed kernel upon public disclosure of the > > -upstream fix. Distros will need some time to test the proposed patch and > > -will generally request at least a few days of embargo, and vendor update > > -publication prefers to happen Tuesday through Thursday. When appropriate, > > -the security team can assist with this coordination, or the reporter can > > -include linux-distros from the start. In this case, remember to prefix > > -the email Subject line with "[vs]" as described in the linux-distros wiki: > > +<linux-distros@vs.openwall.org> mailing list so that distribution vendors are > > +well prepared to issue a fixed kernel upon public disclosure of the upstream > > +fix. As a reporter, you must read and accept the list's policy as outlined in > > +the linux-distros wiki: > > +<https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters>. > > +When you report a bug, you must also provide a tentative disclosure date and > > +time in your very first message to the list. Distros will need some time to > > +test the proposed patch so please allow at least a few days of embargo, and > > +vendor update publication prefers to happen Tuesday through Thursday. When > > +appropriate, the security team can assist with this coordination, or the > > +reporter can include linux-distros from the start. In this case, remember to > > +prefix the email Subject line with "[vs]" as described in the linux-distros > > +wiki: > > <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> > > Do we really need to describe all of the information on how to use the > distro list here? That's why we included the link, as it has all of > this well spelled out and described. If anything, I would say we should > say less in this document about what linux-distros do, as that is > independent of the Linux security team. Agreed, and it also means that any changes linux-distros make to their policy won't be reflecting in the numerous kernel trees out there, so a link is much better imo. Will ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Documentation/security-bugs: provide more information about linux-distros 2019-07-11 17:09 ` Will Deacon @ 2019-07-11 20:35 ` Sasha Levin 2019-07-14 18:05 ` Solar Designer 0 siblings, 1 reply; 5+ messages in thread From: Sasha Levin @ 2019-07-11 20:35 UTC (permalink / raw) To: Will Deacon Cc: Greg KH, corbet, solar, keescook, peterz, tyhicks, linux-doc, linux-kernel On Thu, Jul 11, 2019 at 06:09:21PM +0100, Will Deacon wrote: >On Thu, Jul 11, 2019 at 07:07:32PM +0200, Greg KH wrote: >> On Thu, Jul 11, 2019 at 12:36:37PM -0400, Sasha Levin wrote: >> > Provide more information about how to interact with the linux-distros >> > mailing list for disclosing security bugs. >> > >> > First, clarify that the reporter must read and accept the linux-distros >> > policies prior to sending a report. >> > >> > Second, clarify that the reported must provide a tentative public >> > disclosure date and time in his first contact with linux-distros. >> > >> > Suggested-by: Solar Designer <solar@openwall.com> >> > Signed-off-by: Sasha Levin <sashal@kernel.org> >> > --- >> > Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++-------- >> > 1 file changed, 13 insertions(+), 8 deletions(-) >> > >> > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst >> > index dcd6c93c7aac..c62faced9256 100644 >> > --- a/Documentation/admin-guide/security-bugs.rst >> > +++ b/Documentation/admin-guide/security-bugs.rst >> > @@ -61,14 +61,19 @@ Coordination >> > >> > Fixes for sensitive bugs, such as those that might lead to privilege >> > escalations, may need to be coordinated with the private >> > -<linux-distros@vs.openwall.org> mailing list so that distribution vendors >> > -are well prepared to issue a fixed kernel upon public disclosure of the >> > -upstream fix. Distros will need some time to test the proposed patch and >> > -will generally request at least a few days of embargo, and vendor update >> > -publication prefers to happen Tuesday through Thursday. When appropriate, >> > -the security team can assist with this coordination, or the reporter can >> > -include linux-distros from the start. In this case, remember to prefix >> > -the email Subject line with "[vs]" as described in the linux-distros wiki: >> > +<linux-distros@vs.openwall.org> mailing list so that distribution vendors are >> > +well prepared to issue a fixed kernel upon public disclosure of the upstream >> > +fix. As a reporter, you must read and accept the list's policy as outlined in >> > +the linux-distros wiki: >> > +<https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters>. >> > +When you report a bug, you must also provide a tentative disclosure date and >> > +time in your very first message to the list. Distros will need some time to >> > +test the proposed patch so please allow at least a few days of embargo, and >> > +vendor update publication prefers to happen Tuesday through Thursday. When >> > +appropriate, the security team can assist with this coordination, or the >> > +reporter can include linux-distros from the start. In this case, remember to >> > +prefix the email Subject line with "[vs]" as described in the linux-distros >> > +wiki: >> > <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> >> >> Do we really need to describe all of the information on how to use the >> distro list here? That's why we included the link, as it has all of >> this well spelled out and described. If anything, I would say we should >> say less in this document about what linux-distros do, as that is >> independent of the Linux security team. > >Agreed, and it also means that any changes linux-distros make to their >policy won't be reflecting in the numerous kernel trees out there, so a >link is much better imo. I agree that the 2nd part about embargo timelines is redundant, but I only addressed it because the document was already addressing embargos. I only now realized that the link we had there was just going to the main wiki page by mistake: the tag it was trying to point to was removed from the wiki page. We should probably update that too. With regards to the explicit instruction to agree with policies, I think we do need it there. Right now this section reads as "for embargoes work with linux-distros@vs.openwall.org, and btw they have a wiki which you may or may not need to read". We probably do need to stress here that linux-distros has different policies than security@kernel.org. -- Thanks, Sasha ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Documentation/security-bugs: provide more information about linux-distros 2019-07-11 20:35 ` Sasha Levin @ 2019-07-14 18:05 ` Solar Designer 0 siblings, 0 replies; 5+ messages in thread From: Solar Designer @ 2019-07-14 18:05 UTC (permalink / raw) To: Sasha Levin Cc: Will Deacon, Greg KH, corbet, keescook, peterz, tyhicks, linux-doc, linux-kernel On Thu, Jul 11, 2019 at 04:35:00PM -0400, Sasha Levin wrote: > On Thu, Jul 11, 2019 at 06:09:21PM +0100, Will Deacon wrote: > >On Thu, Jul 11, 2019 at 07:07:32PM +0200, Greg KH wrote: > >>On Thu, Jul 11, 2019 at 12:36:37PM -0400, Sasha Levin wrote: > >>> Provide more information about how to interact with the linux-distros > >>> mailing list for disclosing security bugs. > >>> > >>> First, clarify that the reporter must read and accept the linux-distros > >>> policies prior to sending a report. > >>> > >>> Second, clarify that the reported must provide a tentative public > >>> disclosure date and time in his first contact with linux-distros. > >>> > >>> Suggested-by: Solar Designer <solar@openwall.com> > >>> Signed-off-by: Sasha Levin <sashal@kernel.org> > >>> --- > >>> Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++-------- > >>> 1 file changed, 13 insertions(+), 8 deletions(-) Thanks. Sasha's proposed changes do address the two issues I pointed out, so are an improvement. However: > >>Do we really need to describe all of the information on how to use the > >>distro list here? That's why we included the link, as it has all of > >>this well spelled out and described. If anything, I would say we should > >>say less in this document about what linux-distros do, as that is > >>independent of the Linux security team. > > > >Agreed, and it also means that any changes linux-distros make to their > >policy won't be reflecting in the numerous kernel trees out there, so a > >link is much better imo. I also agree with this. > I agree that the 2nd part about embargo timelines is redundant, but I > only addressed it because the document was already addressing embargos. > > I only now realized that the link we had there was just going to the > main wiki page by mistake: the tag it was trying to point to was removed > from the wiki page. We should probably update that too. > > With regards to the explicit instruction to agree with policies, I think > we do need it there. Right now this section reads as "for embargoes work > with linux-distros@vs.openwall.org, and btw they have a wiki which you > may or may not need to read". Yes, we should update the link, but maybe we should also drop the posting e-mail address, which will ensure someone will have to check out the link before they're able to post. This should allow us to drop the summary of linux-distros policy and posting instructions, although maybe they're beneficial to keep if we're confident we'd be maintaining this summary to reflect possible changes on the linked page. > We probably do need to stress here that linux-distros has different > policies than security@kernel.org. OK. Alexander ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-07-14 18:12 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-07-11 16:36 [PATCH] Documentation/security-bugs: provide more information about linux-distros Sasha Levin 2019-07-11 17:07 ` Greg KH 2019-07-11 17:09 ` Will Deacon 2019-07-11 20:35 ` Sasha Levin 2019-07-14 18:05 ` Solar Designer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).