From: Peter Zijlstra <peterz@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
security@kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
Date: Fri, 10 Jul 2020 12:36:48 +0200 [thread overview]
Message-ID: <20200710103648.GE4800@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <202007091110.205DC6A9@keescook>
On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> The security contact list gets regular reports contained in archive
> attachments. This tends to add some back-and-forth delay in dealing with
> security reports since we have to ask for plain text, etc.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index dcd6c93c7aac..c32eb786201c 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -21,11 +21,18 @@ understand and fix the security vulnerability.
>
> As it is with any bug, the more information provided the easier it
> will be to diagnose and fix. Please review the procedure outlined in
> -admin-guide/reporting-bugs.rst if you are unclear about what
> +:doc:`reporting-bugs` if you are unclear about what
I can do 'gf' on Documentation/admin-guide/reporting-bugs.rst, I can do
didly squat with crap like :doc:'reporting-bugs'.
NAK
> information is helpful. Any exploit code is very helpful and will not
> be released without consent from the reporter unless it has already been
> made public.
>
> +Please send plain text emails without attachments where possible.
> +It is much harder to have a context-quoted discussion about a complex
> +issue if all the details are hidden away in attachments. Think of it like a
> +:doc:`regular patch submission <../process/submitting-patches>`
More unusable references.
> +(even if you don't have a patch yet): describe the problem and impact, list
> +reproduction steps, and follow it with a proposed fix, all in plain text.
> +
You forgot to mention that opening complex file formats is a security
risk all of its own.
next prev parent reply other threads:[~2020-07-10 10:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
2020-07-09 20:42 ` Will Deacon
2020-07-09 22:17 ` Kees Cook
2020-07-10 3:45 ` Willy Tarreau
2020-07-10 10:37 ` Peter Zijlstra
2020-07-09 22:50 ` Jiri Kosina
2020-07-09 23:03 ` Gustavo A. R. Silva
2020-07-10 6:49 ` Greg Kroah-Hartman
2020-07-10 10:36 ` Peter Zijlstra [this message]
2020-07-13 15:37 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200710103648.GE4800@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox