From: Kees Cook <keescook@chromium.org>
To: Will Deacon <will@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
security@kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
Date: Thu, 9 Jul 2020 15:17:02 -0700 [thread overview]
Message-ID: <202007091515.EC09267FC@keescook> (raw)
In-Reply-To: <20200709204255.GA29288@willie-the-truck>
On Thu, Jul 09, 2020 at 09:42:56PM +0100, Will Deacon wrote:
> On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> > The security contact list gets regular reports contained in archive
> > attachments. This tends to add some back-and-forth delay in dealing with
> > security reports since we have to ask for plain text, etc.
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> > index dcd6c93c7aac..c32eb786201c 100644
> > --- a/Documentation/admin-guide/security-bugs.rst
> > +++ b/Documentation/admin-guide/security-bugs.rst
> > @@ -21,11 +21,18 @@ understand and fix the security vulnerability.
> >
> > As it is with any bug, the more information provided the easier it
> > will be to diagnose and fix. Please review the procedure outlined in
> > -admin-guide/reporting-bugs.rst if you are unclear about what
> > +:doc:`reporting-bugs` if you are unclear about what
> > information is helpful. Any exploit code is very helpful and will not
> > be released without consent from the reporter unless it has already been
> > made public.
> >
> > +Please send plain text emails without attachments where possible.
> > +It is much harder to have a context-quoted discussion about a complex
> > +issue if all the details are hidden away in attachments. Think of it like a
> > +:doc:`regular patch submission <../process/submitting-patches>`
> > +(even if you don't have a patch yet): describe the problem and impact, list
> > +reproduction steps, and follow it with a proposed fix, all in plain text.
> > +
>
> Acked-by: Will Deacon <will@kernel.org>
Thanks!
>
> Hopefully "plain text" implies unencrypted as much as it does "not html".
I decided not to write a paragraph about how security@ isn't a
role-account with a separate GPG key etc etc. Those cases are rare
enough that I don't think it (yet) warrants a paragraph here. I want to
strike a balance between "all your questions are answered" and "there's
too much here for me to find the answer to my question". :)
--
Kees Cook
next prev parent reply other threads:[~2020-07-09 22:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
2020-07-09 20:42 ` Will Deacon
2020-07-09 22:17 ` Kees Cook [this message]
2020-07-10 3:45 ` Willy Tarreau
2020-07-10 10:37 ` Peter Zijlstra
2020-07-09 22:50 ` Jiri Kosina
2020-07-09 23:03 ` Gustavo A. R. Silva
2020-07-10 6:49 ` Greg Kroah-Hartman
2020-07-10 10:36 ` Peter Zijlstra
2020-07-13 15:37 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202007091515.EC09267FC@keescook \
--to=keescook@chromium.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox