Re: [PATCH 2/3] Documentation: security-bugs: explain what is and is not a security bug

public inbox for linux-doc@vger.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: Greg KH <greg@kroah.com>
Cc: leon@kernel.org, security@kernel.org,
	Jonathan Corbet <corbet@lwn.net>,
	skhan@linuxfoundation.org, workflows@vger.kernel.org,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] Documentation: security-bugs: explain what is and is not a security bug
Date: Wed, 29 Apr 2026 05:09:43 +0200	[thread overview]
Message-ID: <afF2d6RzRf2Flnv7@1wt.eu> (raw)
In-Reply-To: <2026042804-overbook-ripeness-73dd@gregkh>

On Tue, Apr 28, 2026 at 03:13:01PM -0600, Greg KH wrote:
> > > We can point at other files, as this list is going to get long over
> > > time, which is a good thing.
> > 
> > Sure. I'm just unsure where this could be enumerated, as it's likely
> > that there would be just one or two lines max per subsystem for the
> > majority of them. Or we could have a totally separate file, "threat
> > model", that goes into great lengths detailing all this with sections
> > per category or subsystem when they start to grow maybe, and refer only
> > to that one from security-bugs ?
> 
> I think a separate file is good, I know I need to write up what the USB
> model is, and it's different from PCI, and different from other
> subsystems.  All should probably be documented eventually.

Would you be interested in me trying to initiate a new "threat-model.rst"
file that tries to unroll the points mentioned in the list ? I'm concerned
that that withuot having many details initially, it could look a bit odd,
because the list we currently have would be more suitable for an "other"
section.

> > > > > (like what the IB subsystem does which I
> > > > > don't think you listed above, or the USB subsystem.)
> > > > 
> > > > Indeed I didn't list IB (I'm never sure about it, I seem to remember
> > > > we simply trust any peer, is that right?), nor did I make specific
> > > > mentions for USB which is implicitly covered by "hardware emulation
> > > > or modification".
> > > 
> > > Ah, but USB does cover "some" modification of devices, so this is going
> > > to be something that is good to document over time, if for no other
> > > reason to keep these scanning tools in check from hallucinating crazy
> > > situations that are obviously not a valid thing we care about.
> > 
> > OK but does this mean you still want to get these reports in the end ?
> 
> I want a patch if a user cares about that threat-model (as Android does
> but no one else) as it's up to the user groups that want to change the
> default kernel's behavior like this to actually submit patches to do so.

Yes, OK, but we want them in any case. That's the idea I tried to convey
in the proposed doc (maybe not well enough), basically "this is a bug and
it is worth reporting, but no need to involve s@k.o for this".

thanks,
Willy

next prev parent reply	other threads:[~2026-04-29  3:09 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-26 16:39 [PATCH 0/3] Documentation: security-bugs: new updates covering triage and AI Willy Tarreau
2026-04-26 16:39 ` [PATCH 1/3] Documentation: security-bugs: do not systematically Cc the security team Willy Tarreau
2026-04-27 13:49   ` Greg KH
2026-04-27 15:24     ` Willy Tarreau
2026-04-27 15:33       ` Greg KH
2026-04-27 16:09         ` Willy Tarreau
2026-04-26 16:39 ` [PATCH 2/3] Documentation: security-bugs: explain what is and is not a security bug Willy Tarreau
2026-04-26 19:33   ` Randy Dunlap
2026-04-27 13:48   ` Greg KH
2026-04-27 15:27     ` Willy Tarreau
2026-04-27 15:35       ` Greg KH
2026-04-27 16:14         ` Willy Tarreau
2026-04-28 21:13           ` Greg KH
2026-04-29  3:09             ` Willy Tarreau [this message]
2026-04-26 16:39 ` [PATCH 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports Willy Tarreau
2026-04-26 19:36   ` Randy Dunlap
2026-04-27  2:22     ` Willy Tarreau
2026-04-27 13:50   ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=afF2d6RzRf2Flnv7@1wt.eu \
    --to=w@1wt.eu \
    --cc=corbet@lwn.net \
    --cc=greg@kroah.com \
    --cc=leon@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=security@kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=workflows@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox