From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Chris Wright <chrisw@osdl.org>
Cc: akpm@osdl.org, torvalds@osdl.org, marcelo.tosatti@cyclades.com,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: security contact draft
Date: Thu, 13 Jan 2005 20:10:58 +0000 [thread overview]
Message-ID: <1105647058.4624.134.camel@localhost.localdomain> (raw)
In-Reply-To: <20050113125503.C469@build.pdx.osdl.net>
On Iau, 2005-01-13 at 20:55, Chris Wright wrote:
> To keep the conversation concrete, here's a pretty rough stab at
> documenting the policy.
It's not documenting the stuff Linus seems to be talking about which is
a public list ? Or does Linus want both ?
> It is preferred that mail sent to the security contact is encrypted
> with $PUBKEY.
https:// and bugs.kernel.org ? You can make bugzilla autoprivate
security bugs and alert people.
> well-tested or for vendor coordination. However, we expect these delays
> to be short, measurable in days, not weeks or months. As a basic default
> policy, we expect report to disclosure to be on the order of $NUMDAYS.
Sounds good. $NUMDAYS is going to require some debate. My gut feeling is
14 days is probably the right kind of target for hard stuff remembering
how long it takes to run QA on an enterprise grade kernel. If it gets
too short then vendors are going to disclose elsewhere for their own
findings and only to this list when they are all ready anyway which
takes us back to square one.
And many are probably a lot less - those nobody is going to rush out and
build new vendor kernels for, or those that prove to be non serious can
probably get bumped to the public list by the security officer within a
day or two.
Alan
next prev parent reply other threads:[~2005-01-13 21:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-13 20:55 security contact draft Chris Wright
2005-01-13 20:10 ` Alan Cox [this message]
2005-01-13 21:31 ` Linus Torvalds
2005-01-13 19:28 ` Marcelo Tosatti
2005-01-13 22:02 ` Chris Wright
2005-01-13 21:43 ` Florian Weimer
2005-01-13 22:12 ` Chris Wright
2005-01-15 0:33 ` Alan Cox
2005-01-15 2:43 ` Chris Wright
2005-01-15 4:00 ` Alan Cox
2005-01-18 0:24 ` security contact draft2 (was Re: security contact draft) Chris Wright
2005-01-18 17:39 ` Horst von Brand
2005-02-03 14:28 ` security contact draft Patrick Plattes
2005-02-03 18:08 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1105647058.4624.134.camel@localhost.localdomain \
--to=alan@lxorguk.ukuu.org.uk \
--cc=akpm@osdl.org \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.tosatti@cyclades.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox