From: Solar Designer <solar@openwall.com>
To: Kees Cook <keescook@chromium.org>
Cc: Sasha Levin <sashal@kernel.org>,
corbet@lwn.net, will@kernel.org, peterz@infradead.org,
gregkh@linuxfoundation.org, tyhicks@canonical.com,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros
Date: Fri, 19 Jul 2019 10:42:15 +0200 [thread overview]
Message-ID: <20190719084215.GA24691@openwall.com> (raw)
In-Reply-To: <201907181833.EF0D93C@keescook>
On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote:
> On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > > Provide more information about how to interact with the linux-distros
> > > > mailing list for disclosing security bugs.
> > > >
> > > > Reference the linux-distros list policy and clarify that the reporter
> > > > must read and understand those policies as they differ from
> > > > security@kernel.org's policy.
> > > >
> > > > Suggested-by: Solar Designer <solar@openwall.com>
> > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > >
> > > Sorry, but NACK, see below...
I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then
I suggest that we apply Sasha's first revision of the patch instead.
I think either revision is an improvement on the status quo.
> I think reinforcing information to avoid past mistakes is appropriate
> here.
Maybe, but from my perspective common past issues with Linux kernel bugs
reported to linux-distros were:
- The reporter having been directed to post from elsewhere (and I
suspect this documentation file) without being aware of list policy.
- The reporter not mentioning (and sometimes not replying even when
asked) whether they're also coordinating with security@k.o or whether
they want someone on linux-distros to help coordinate with security@k.o.
(Maybe this is something we want to write about here.)
- The Linux kernel bug having been introduced too recently to be of much
interest to distros.
> Reports have regularly missed the "[vs]" detail or suggested
> embargoes that ended on Fridays, etc.
This happens too. Regarding missing the "[vs]" detail, technically
there are also a number of other conditions that also let the message
through, but those are changing and are deliberately not advertised.
> Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> distros.
Right.
> This has caused leaks in the past
Do you mean leaks to *BSD security teams or to the public? I'm not
aware of past leaks to the public via the non-Linux distros present on
the distros@ list. Are you?
Alexander
next prev parent reply other threads:[~2019-07-19 8:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-17 23:11 [PATCH v2] Documentation/security-bugs: provide more information about linux-distros Sasha Levin
2019-07-18 9:40 ` Will Deacon
2019-07-18 14:14 ` Solar Designer
2019-07-18 22:00 ` Kees Cook
2019-07-19 0:39 ` Sasha Levin
2019-07-19 1:51 ` Kees Cook
2019-07-19 3:41 ` Sasha Levin
2019-07-19 8:42 ` Solar Designer [this message]
2019-07-23 22:23 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190719084215.GA24691@openwall.com \
--to=solar@openwall.com \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=sashal@kernel.org \
--cc=tyhicks@canonical.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).