From: Mauro Carvalho Chehab <mchehab@kernel.org>
To: Jonathan Corbet <corbet@lwn.net>
Cc: Vegard Nossum <vegard.nossum@oracle.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
Amit Shah <aams@amazon.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Jiri Kosina <jkosina@suse.cz>, Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Solar Designer <solar@openwall.com>,
Thomas Gleixner <tglx@linutronix.de>,
Thorsten Leemhuis <linux@leemhuis.info>,
Will Deacon <will@kernel.org>, Willy Tarreau <w@1wt.eu>
Subject: Re: [PATCH] Documentation/security-bugs: overhaul
Date: Sat, 4 Jun 2022 01:43:17 +0100 [thread overview]
Message-ID: <20220604014317.79eb23db@sal.lan> (raw)
In-Reply-To: <87fsko48xh.fsf@meer.lwn.net>
Em Wed, 01 Jun 2022 10:58:50 -0600
Jonathan Corbet <corbet@lwn.net> escreveu:
> Vegard Nossum <vegard.nossum@oracle.com> writes:
>
> > The current instructions for reporting security vulnerabilities in the
> > kernel are not clear enough, in particular the process of disclosure
> > and requesting CVEs, and what the roles of the different lists are and
> > how exactly to report to each of them.
> >
> > Let's give this document an overhaul. Goals are stated as a comment at
> > the top of the document itself (these will not appear in the rendered
> > document).
>
> OK, some other thoughts...
>
> [...]
>
> > +Linux kernel security team at security@kernel.org, henceforth "the
> > +security list". This is a closed list of trusted developers who will
> > +help verify the bug report and develop a patch.
> > +
> > +While the security list is closed, the security team may bring in
> > +extra help from the relevant maintainers to understand and fix the
> > +security vulnerability.
> > +
> > +Note that the main interest of the kernel security list is in getting
> > +bugs fixed; CVE assignment, disclosure to distributions, and public
> > +disclosure happens on different lists with different people.
>
> Adding "as described below" or some such might be helpful for readers
> who are mostly interested in those things.
>
> > +Here is a quick overview of the various lists:
> > +
> > +.. list-table::
> > + :widths: 35 10 20 35
> > + :header-rows: 1
> > +
> > + * - List address
> > + - Open?
> > + - Purpose
> > + - Members
> > + * - security@kernel.org
> > + - Closed
> > + - Reporting; patch development
> > + - Trusted kernel developers
> > + * - linux-distros@vs.openwall.org
> > + - Closed
> > + - Coordination; CVE assignment; patch development, testing, and backporting
> > + - Linux distribution representatives
> > + * - oss-security@lists.openwall.com
> > + - Public
> > + - Disclosure
> > + - General public
>
> Please don't use list-table, that's totally unreadable in the plain-text
> format. How about something like:
>
> =============================== ===== ================= ===============
> List address Open? Purpose Members
> =============================== ===== ================= ===============
> security@kernel.org no Reporting Trusted kernel
> developers
> Patch development
> linux-distros@vs.openwall.org no Coordination Distribution
> representatives
> CVE assignment
> Patch development
> Testing
> Backporting
> oss-security@lists.openwall.com yes Disclosure General public
> =============================== ===== ================= ===============
>
> (Note I haven't tried to format this, there's probably an error in there
> somewhere).
Yeah, I guess the right syntax is something like:
=============================== ===== ================= ===============
List address Open? Purpose Members
------------------------------- ----- ----------------- ---------------
security@kernel.org no Reporting Trusted kernel
developers
Patch development
linux-distros@vs.openwall.org no Coordination Distribution
representatives
CVE assignment
Patch development
Testing
Backporting
oss-security@lists.openwall.com yes Disclosure General public
=============================== ===== ================= ===============
Regards,
Mauro
prev parent reply other threads:[~2022-06-04 0:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-31 23:03 [PATCH] Documentation/security-bugs: overhaul Vegard Nossum
2022-06-01 3:12 ` Willy Tarreau
2022-06-02 15:34 ` Vegard Nossum
2022-06-03 6:49 ` Willy Tarreau
2022-06-06 14:21 ` Vegard Nossum
2022-06-06 15:07 ` Willy Tarreau
2022-06-01 13:38 ` Jonathan Corbet
2022-06-01 16:58 ` Jonathan Corbet
2022-06-02 17:53 ` Vegard Nossum
2022-06-04 0:43 ` Mauro Carvalho Chehab [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220604014317.79eb23db@sal.lan \
--to=mchehab@kernel.org \
--cc=aams@amazon.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@leemhuis.info \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=solar@openwall.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vegard.nossum@oracle.com \
--cc=w@1wt.eu \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox