Re: [stable] Linux 2.6.25.10 (resume) - Rodrigo Rubira Branco (BSDaemon)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Rodrigo Rubira Branco (BSDaemon)" <rbranco@la.checkpoint.com>
To: Alan Cox <alan@redhat.com>
Cc: Greg KH <gregkh@suse.de>,
	linux-kernel@vger.kernel.org, stable@kernel.org, greg@kroah.com,
	"'Justin Forbes'" <jmforbes@linuxtx.org>,
	"'Zwane Mwaikambo'" <zwane@arm.linux.org.uk>,
	"'Theodore Ts'o'" <tytso@mit.edu>,
	"'Randy Dunlap'" <rdunlap@xenotime.net>,
	"'Dave Jones'" <davej@redhat.com>,
	"'Chuck Wolber'" <chuckw@quantumlinux.com>,
	"'Chris Wedgwood'" <reviews@ml.cw.f00f.org>,
	"'Michael Krufky'" <mkrufky@linuxtv.org>,
	"'Chuck Ebbert'" <cebbert@redhat.com>,
	"'Domenico Andreoli'" <cavokz@gmail.com>,
	"'Willy Tarreau'" <w@1wt.eu>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, caglar@pardus.org.tr,
	casey@schaufler-ca.com, spender@grsecurity.net,
	pageexec@freemail.hu, rodrigo@kernelhacking.com
Subject: Re: [stable] Linux 2.6.25.10 (resume)
Date: Mon, 21 Jul 2008 21:48:13 -0300	[thread overview]
Message-ID: <48852E4D.3050405@la.checkpoint.com> (raw)
In-Reply-To: <20080719101140.GB20802@devserv.devel.redhat.com>

[-- Attachment #1: Type: text/plain, Size: 1672 bytes --]

Alan Cox escreveu:
>> @@ -1,7 +1,7 @@
>> -Linux kernel developers take security very seriously.  As such, we'd
>> -like to know when a security bug is found so that it can be fixed and
>> -disclosed as quickly as possible.  Please report security bugs to the
>> -Linux kernel security team.
>> +Linux kernel developers take security very seriously, in exactly the 
>> +same way we do with any other bugs.  As such, we'd like to know when 
>> +a security bug is found so that it can be fixed as soon as possible.
>> +Please report security bugs to the Linux kernel security team.
>>     
>
> NAK this. If the fix is not clear and the bug not too serious it is better
> to disclose it than fail to fix it. The security team does not usually fix the
> bugs, the experts in the various bits of code do.
>   
ACK ;)  Changed the sentence.  Tks.

>> -Any exploit code is very helpful and will not be released without
>> -consent from the reporter unless it has already been made public.
>> +Any exploit code is very helpful and will not be released.
>>     
>
> NAK this too. If someone releases an exploit publically or it leaks we
> want to be able to freely share it too. Your proposal would mean any but
> those dumb enough to agree to this could share it. That is why the unless made
> public is part of every generic NDA document on the planet.
>   
Agreed.  Changed the sentence.  Tks.
> The rest needs Linus to return from holiday for discussion and that'll
> be a week or two. In the meantime you might want to define "disclose" as
> I don't think we all agree on what it means as you've not defined who is and
> isn't the linux security team and/or its helpers.
Cool.

[-- Attachment #2: SecurityBugs.patch --]
[-- Type: text/plain, Size: 2693 bytes --]

--- SecurityBugs.orig	2008-07-16 23:46:09.000000000 -0300
+++ SecurityBugs	2008-07-21 07:28:01.000000000 -0300
@@ -1,7 +1,9 @@
-Linux kernel developers take security very seriously.  As such, we'd
-like to know when a security bug is found so that it can be fixed and
-disclosed as quickly as possible.  Please report security bugs to the
-Linux kernel security team.
+Linux kernel developers take security very seriously, in exactly the 
+same way we do with any other bugs.  As such, we'd like to know when 
+a security bug is found so that it can be fixed as soon as possible by
+the experts in this portion of the kernel code.
+
+Please report security bugs to the Linux kernel security team.
 
 1) Contact
 
@@ -14,23 +16,26 @@
 As it is with any bug, the more information provided the easier it
 will be to diagnose and fix.  Please review the procedure outlined in
 REPORTING-BUGS if you are unclear about what information is helpful.
-Any exploit code is very helpful and will not be released without
-consent from the reporter unless it has already been made public.
+Any exploit code is very helpful and will not be released by our team
+unless already made public.  The exploit code may be shared with third
+parties to facilitate a fix or to verify the vulnerability.
 
 2) Disclosure
 
 The goal of the Linux kernel security team is to work with the
 bug submitter to bug resolution as well as disclosure.  We prefer
-to fully disclose the bug as soon as possible.  It is reasonable to
+to not disclose the bug, since we believe any kind of bug deserves the
+same attention and will be quickly patched.  It is reasonable to
 delay disclosure when the bug or the fix is not yet fully understood,
 the solution is not well-tested or for vendor coordination.  However, we
 expect these delays to be short, measurable in days, not weeks or months.
 A disclosure date is negotiated by the security team working with the
-bug submitter as well as vendors.  However, the kernel security team
-holds the final say when setting a disclosure date.  The timeframe for
-disclosure is from immediate (esp. if it's already publically known)
-to a few weeks.  As a basic default policy, we expect report date to
-disclosure date to be on the order of 7 days.
+bug submitter as well as vendors if the submitter wants to disclose.  
+However, the kernel security team holds the final say when setting a 
+disclosure date.  The timeframe for disclousure is from immediate (esp. if
+it's already publically known) to a few weeks.  As a basic default policy,
+we expect report date to disclosure (if the submitter requires disclosure)
+to be on the order of 7 days.
 
 3) Non-disclosure agreements

next prev parent reply	other threads:[~2008-07-22  0:52 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080701151057.930340322@mini.kroah.org>
2008-07-01 15:18 ` [patch 0/9] 2.6.25.10 -stable review Greg KH
2008-07-01 15:18   ` [patch 1/9] TTY: fix for tty operations bugs Greg KH
2008-07-01 16:01     ` Greg KH
2008-07-02  9:57       ` S.Çağlar Onur
2008-07-02  9:44         ` Alan Cox
2008-07-02 14:41         ` Greg KH
2008-07-02 15:09           ` S.Çağlar Onur
2008-07-16  4:01             ` [stable] Linux 2.6.25.10 (resume) Rodrigo Rubira Branco
2008-07-16  4:49               ` Greg KH
2008-07-18 14:07                 ` Rodrigo Rubira Branco (BSDaemon)
2008-07-18 15:20                   ` Willy Tarreau
2008-07-18 15:29                     ` Rodrigo Rubira Branco (BSDaemon)
2008-07-19  4:45                       ` david
2008-07-19 10:11                   ` Alan Cox
2008-07-22  0:48                     ` Rodrigo Rubira Branco (BSDaemon) [this message]
2008-07-23  4:27                       ` Greg KH
2008-07-23 11:54                         ` pageexec
2008-07-23 14:31                           ` Henrique de Moraes Holschuh
2008-07-23 14:53                             ` pageexec
2008-07-19 22:13                   ` Greg KH
2008-07-20 17:28                     ` Al Viro
2008-07-22  1:07                       ` Rodrigo Rubira Branco (BSDaemon)
2008-07-22  0:52                     ` Rodrigo Rubira Branco (BSDaemon)
2008-07-01 15:19   ` [patch 2/9] futexes: fix fault handling in futex_lock_pi Greg KH
2008-07-01 15:19   ` [patch 3/9] IB/mthca: Clear ICM pages before handing to FW Greg KH
2008-07-01 15:19   ` [patch 4/9] DRM: enable bus mastering on i915 at resume time Greg KH
2008-07-01 15:19   ` [patch 5/9] x86_64 ptrace: fix sys32_ptrace task_struct leak Greg KH
2008-07-01 15:19   ` [patch 6/9] sched: fix cpu hotplug Greg KH
2008-07-01 15:19   ` [patch 7/9] ptrace GET/SET FPXREGS broken Greg KH
2008-07-01 15:19   ` [patch 8/9] x86: fix cpu hotplug crash Greg KH
2008-07-01 15:19   ` [patch 9/9] x86: shift bits the right way in native_read_tscp Greg KH
2008-07-01 16:43   ` [patch 0/9] 2.6.25.10 -stable review Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48852E4D.3050405@la.checkpoint.com \
    --to=rbranco@la.checkpoint.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=alan@redhat.com \
    --cc=caglar@pardus.org.tr \
    --cc=casey@schaufler-ca.com \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=greg@kroah.com \
    --cc=gregkh@suse.de \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=pageexec@freemail.hu \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=rodrigo@kernelhacking.com \
    --cc=spender@grsecurity.net \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=w@1wt.eu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox