From: Willy Tarreau <w@1wt.eu>
To: Kees Cook <kees@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>,
Security Officers <security@kernel.org>,
gregkh@linuxfoundation.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Documentation: insist on the plain-text requirement for security reports
Date: Wed, 3 Dec 2025 15:58:45 +0100 [thread overview]
Message-ID: <20251203145845.GB11908@1wt.eu> (raw)
In-Reply-To: <AFC0A4BB-6DBB-4C66-A2DF-940F9B6725A5@kernel.org>
On Wed, Dec 03, 2025 at 06:40:38AM -0800, Kees Cook wrote:
> >+Markdown, HTML and RST formatted reports are particularly frowned upon since
> >+they're quite hard to read for humans and encourage to use dedicated viewers,
> >+sometimes online, which by definition is not acceptable for a confidential
> >+security report.
>
> HTML sure. But why discourage .md and .rst? Markdown is pretty well the
> defacto "human readable" markup format and our own kernel documentation is
> .rst. Those are good for seeing code snippets, etc.
Quite frankly, have you tried to read the latest reports ? They're full
of "**" everywhere with no spacing nor indent at all, it's particularly
hard to find the relevant information in them. It's super tempting to
copy-paste them to the plenty of online viewers to render them correctly,
except we'd rather not do that for obvious reasons. And when you start
to discuss it gets even worse with ``` formating tags isolated between
quoted paragraphs and no longer being relevant.
And let's be honest, these ones are close to 100% of the time generated
by AI tools which are almost unable to produce anything else anymore by
default because that's what they're using to interact with the chatbot's
UI. If at least that forces those seeking a CVE number to actually *read*
what their favorite AI bot produced, it will be a huge gain for everyone.
Right now I'm really ashamed to forward AI-generated garbage to subsystem
maintainers just in case there would be anything valid despite the format
already strongly hinting otherwise.
> I would call out PDF and ZIP instead. We especially don't want _binary_
> formats.
IMHO we don't want useless nor hard-to-exploit reports in the first
place, and to date I don't remember seeing a really valid and
immediately actionable one using such decorations, since they were
not written by the reporters.
Willy
prev parent reply other threads:[~2025-12-03 14:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-29 14:17 [PATCH] Documentation: insist on the plain-text requirement for security reports Willy Tarreau
2025-12-01 6:38 ` Greg KH
2025-12-01 7:12 ` Willy Tarreau
2025-12-22 22:32 ` Jonathan Corbet
2025-12-01 20:47 ` Ingo Molnar
2025-12-03 7:16 ` Willy Tarreau
2025-12-03 14:40 ` Kees Cook
2025-12-03 14:58 ` Willy Tarreau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251203145845.GB11908@1wt.eu \
--to=w@1wt.eu \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=kees@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).