From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Jonathan Corbet <corbet@lwn.net>,
linux-doc@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>,
Solar Designer <solar@openwall.com>,
Will Deacon <will@kernel.org>, Willy Tarreau <w@1wt.eu>,
linux-kernel@vger.kernel.org, Amit Shah <aams@amazon.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Woodhouse <dwmw@amazon.co.uk>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Kees Cook <keescook@chromium.org>,
Laura Abbott <labbott@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Thorsten Leemhuis <linux@leemhuis.info>,
Tyler Hicks <tyhicks@linux.microsoft.com>
Subject: Re: [PATCH v3 4/7] Documentation/security-bugs: add linux-distros and oss-security sections
Date: Mon, 6 Mar 2023 07:08:37 +0100 [thread overview]
Message-ID: <ZAWDZdNAIq8yk86Y@kroah.com> (raw)
In-Reply-To: <20230305220010.20895-5-vegard.nossum@oracle.com>
On Sun, Mar 05, 2023 at 11:00:07PM +0100, Vegard Nossum wrote:
> The existing information about CVE assignment requests and coordinated
> disclosure fits much better in these new sections, since that's what these
> lists are for.
>
> Keep just a reminder in the security list section.
>
> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
> ---
> Documentation/process/security-bugs.rst | 92 ++++++++++++++++++-------
> 1 file changed, 67 insertions(+), 25 deletions(-)
>
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index fb156d146c42..2dd6569a7abb 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -31,6 +31,10 @@ be released without consent from the reporter unless it has already been
> made public. Reporters are encouraged to propose patches, participate in the
> discussions of a fix, and test patches.
>
> +The security team does not assign CVEs, nor does it require them for reports
> +or fixes. CVEs may be requested when the issue is reported to the
> +linux-distros list.
Note, this kind of implies that the security team would be the one whom
you request a CVE from. We can't do that, nor do we ever even want to
deal with that for obvious reasons. Also, who is to say that CVEs are
even anything anyone should be messing with in the first place given how
much they are abused and irrelevant most of the time?
So I would just keep a big "The kernel developer community does not deal
with CVEs at all. If you want one for your résumé/CV, please contact
MITRE directly at your own risk." type of warning in the document and
leave it at that.
thanks,
greg k-h
next prev parent reply other threads:[~2023-03-06 6:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-05 22:00 [PATCH v3 0/7] Documentation/security-bugs: overhaul Vegard Nossum
2023-03-05 22:00 ` [PATCH v3 1/7] Documentation/security-bugs: move from admin-guide/ to process/ Vegard Nossum
2023-03-06 12:35 ` Federico Vaga
2023-03-06 13:39 ` Carlos Bilbao
2023-03-06 14:04 ` Akira Yokosawa
2023-03-07 2:44 ` Yanteng Si
2023-03-12 15:00 ` Greg Kroah-Hartman
2023-03-05 22:00 ` [PATCH v3 2/7] Documentation/security-bugs: misc. improvements Vegard Nossum
2023-03-12 15:06 ` Greg Kroah-Hartman
2023-03-05 22:00 ` [PATCH v3 3/7] Documentation/security-bugs: improve security list section Vegard Nossum
2023-03-05 22:00 ` [PATCH v3 4/7] Documentation/security-bugs: add linux-distros and oss-security sections Vegard Nossum
2023-03-06 6:08 ` Greg Kroah-Hartman [this message]
2023-03-05 22:00 ` [PATCH v3 5/7] Documentation/security-bugs: add table of lists Vegard Nossum
2023-03-05 22:00 ` [PATCH v3 6/7] Documentation/security-bugs: clarify hardware vs. software vulnerabilities Vegard Nossum
2023-03-05 22:00 ` [PATCH v3 7/7] Documentation/security-bugs: document document design Vegard Nossum
2023-03-06 6:02 ` [PATCH v3 0/7] Documentation/security-bugs: overhaul Greg Kroah-Hartman
2023-03-06 6:35 ` Willy Tarreau
2023-03-06 6:42 ` Greg Kroah-Hartman
2023-03-06 9:42 ` Vegard Nossum
2023-03-06 7:11 ` Willy Tarreau
2023-03-06 8:47 ` Bagas Sanjaya
2023-03-06 8:48 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZAWDZdNAIq8yk86Y@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=aams@amazon.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gustavoars@kernel.org \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=labbott@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@leemhuis.info \
--cc=mchehab@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=solar@openwall.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tyhicks@linux.microsoft.com \
--cc=vegard.nossum@oracle.com \
--cc=w@1wt.eu \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).