[PATCH] dev-manual/security-subjects.rst: update mailing lists

[PATCH] dev-manual/security-subjects.rst: update mailing lists

[Antonin Godard]

Update mailing lists following changes by Michael Halstead
(https://lists.yoctoproject.org/g/yocto-security/message/1478).

Also fix formatting/spacing.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst
index 1b02b6a9e9..6785b5a16a 100644
--- a/documentation/dev-manual/security-subjects.rst
+++ b/documentation/dev-manual/security-subjects.rst
@@ -52,19 +52,24 @@ for them for significant issues.
 Security-related discussions at the Yocto Project
 -------------------------------------------------
 
-We have set up two security-related mailing lists:
+We have set up two security-related emails/mailing lists:
 
-  -  Public List: yocto [dash] security [at] yoctoproject[dot] org
+  -  Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
 
-    This is a public mailing list for anyone to subscribe to. This list is an
-    open list to discuss public security issues/patches and security-related
-    initiatives. For more information, including subscription information,
-    please see the  :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`.
+     This is a public mailing list for anyone to subscribe to. This list is an
+     open list to discuss public security issues/patches and security-related
+     initiatives. For more information, including subscription information,
+     please see the  :yocto_lists:`yocto-security mailing list info page
+     </g/yocto-security>`.
 
-  - Private List: security [at] yoctoproject [dot] org
+     This list requires moderator approval for new topics to be posted, to avoid
+     private security reports to be posted by mistake.
 
-    This is a private mailing list for reporting non-published potential
-    vulnerabilities. The list is monitored by the Yocto Project Security team.
+  -  Yocto Project Security Team: security [at] yoctoproject [dot] org
+
+     This is an email for reporting non-published potential vulnerabilities.
+     Emails sent to this address are forwarded to the Yocto Project Security
+     Team members.
 
 
 What you should do if you find a security vulnerability

---
base-commit: dbc6137cd13f982a7fd4d1b2df79dccb177db0fc
change-id: 20250829-update-security-lists-d524520db2c9

Best regards,
--  
Antonin Godard <antonin.godard@bootlin.com>

Re: [docs] [PATCH] dev-manual/security-subjects.rst: update mailing lists

[Quentin Schulz]

Hi Antonin,

On 8/29/25 11:08 AM, Antonin Godard via lists.yoctoproject.org wrote:
> Update mailing lists following changes by Michael Halstead
> (https://lists.yoctoproject.org/g/yocto-security/message/1478).
> 
> Also fix formatting/spacing.
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
>   documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++---------
>   1 file changed, 14 insertions(+), 9 deletions(-)
> 
> diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst
> index 1b02b6a9e9..6785b5a16a 100644
> --- a/documentation/dev-manual/security-subjects.rst
> +++ b/documentation/dev-manual/security-subjects.rst
> @@ -52,19 +52,24 @@ for them for significant issues.
>   Security-related discussions at the Yocto Project
>   -------------------------------------------------
>   
> -We have set up two security-related mailing lists:
> +We have set up two security-related emails/mailing lists:
>   
> -  -  Public List: yocto [dash] security [at] yoctoproject[dot] org
> +  -  Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
>   
> -    This is a public mailing list for anyone to subscribe to. This list is an
> -    open list to discuss public security issues/patches and security-related
> -    initiatives. For more information, including subscription information,
> -    please see the  :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`.
> +     This is a public mailing list for anyone to subscribe to. This list is an
> +     open list to discuss public security issues/patches and security-related
> +     initiatives. For more information, including subscription information,
> +     please see the  :yocto_lists:`yocto-security mailing list info page
> +     </g/yocto-security>`.
>   
> -  - Private List: security [at] yoctoproject [dot] org
> +     This list requires moderator approval for new topics to be posted, to avoid
> +     private security reports to be posted by mistake.
>   
> -    This is a private mailing list for reporting non-published potential
> -    vulnerabilities. The list is monitored by the Yocto Project Security team.
> +  -  Yocto Project Security Team: security [at] yoctoproject [dot] org
> +
> +     This is an email for reporting non-published potential vulnerabilities.
> +     Emails sent to this address are forwarded to the Yocto Project Security
> +     Team members.
>   

Matches what Michael said on the ML, so I guess

Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>

Please also backport wherever appropriate (maybe we should think about 
having this under the same mechanism we use for migration manuals so 
it's never outdated even in old release manuals?).

Thanks!
Quentin

Re: [docs] [PATCH] dev-manual/security-subjects.rst: update mailing lists

[Antonin Godard]

On Mon Sep 1, 2025 at 1:35 PM CEST, Quentin Schulz via lists.yoctoproject.org wrote:
> Hi Antonin,
>
> On 8/29/25 11:08 AM, Antonin Godard via lists.yoctoproject.org wrote:
>> Update mailing lists following changes by Michael Halstead
>> (https://lists.yoctoproject.org/g/yocto-security/message/1478).
>> 
>> Also fix formatting/spacing.
>> 
>> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
>> ---
>>   documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++---------
>>   1 file changed, 14 insertions(+), 9 deletions(-)
>> 
>> diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst
>> index 1b02b6a9e9..6785b5a16a 100644
>> --- a/documentation/dev-manual/security-subjects.rst
>> +++ b/documentation/dev-manual/security-subjects.rst
>> @@ -52,19 +52,24 @@ for them for significant issues.
>>   Security-related discussions at the Yocto Project
>>   -------------------------------------------------
>>   
>> -We have set up two security-related mailing lists:
>> +We have set up two security-related emails/mailing lists:
>>   
>> -  -  Public List: yocto [dash] security [at] yoctoproject[dot] org
>> +  -  Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
>>   
>> -    This is a public mailing list for anyone to subscribe to. This list is an
>> -    open list to discuss public security issues/patches and security-related
>> -    initiatives. For more information, including subscription information,
>> -    please see the  :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`.
>> +     This is a public mailing list for anyone to subscribe to. This list is an
>> +     open list to discuss public security issues/patches and security-related
>> +     initiatives. For more information, including subscription information,
>> +     please see the  :yocto_lists:`yocto-security mailing list info page
>> +     </g/yocto-security>`.
>>   
>> -  - Private List: security [at] yoctoproject [dot] org
>> +     This list requires moderator approval for new topics to be posted, to avoid
>> +     private security reports to be posted by mistake.
>>   
>> -    This is a private mailing list for reporting non-published potential
>> -    vulnerabilities. The list is monitored by the Yocto Project Security team.
>> +  -  Yocto Project Security Team: security [at] yoctoproject [dot] org
>> +
>> +     This is an email for reporting non-published potential vulnerabilities.
>> +     Emails sent to this address are forwarded to the Yocto Project Security
>> +     Team members.
>>   
>
> Matches what Michael said on the ML, so I guess
>
> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
>
> Please also backport wherever appropriate (maybe we should think about 
> having this under the same mechanism we use for migration manuals so 
> it's never outdated even in old release manuals?).

I think the idea is good.

One tricky point is that this is part of the development manual which has been
split in multiple documents not so long ago, so it wouldn't apply to old
releases → maybe we should move this out of the development manual and make it a
distinct (and more visible) section? What do you think? This is about security,
not really a development task.

Antonin

-- 
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [docs] [PATCH] dev-manual/security-subjects.rst: update mailing lists

[Quentin Schulz]

Hi Antonin,

On 9/2/25 9:06 AM, Antonin Godard wrote:
> On Mon Sep 1, 2025 at 1:35 PM CEST, Quentin Schulz via lists.yoctoproject.org wrote:
>> Hi Antonin,
>>
>> On 8/29/25 11:08 AM, Antonin Godard via lists.yoctoproject.org wrote:
>>> Update mailing lists following changes by Michael Halstead
>>> (https://lists.yoctoproject.org/g/yocto-security/message/1478).
>>>
>>> Also fix formatting/spacing.
>>>
>>> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
>>> ---
>>>    documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++---------
>>>    1 file changed, 14 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst
>>> index 1b02b6a9e9..6785b5a16a 100644
>>> --- a/documentation/dev-manual/security-subjects.rst
>>> +++ b/documentation/dev-manual/security-subjects.rst
>>> @@ -52,19 +52,24 @@ for them for significant issues.
>>>    Security-related discussions at the Yocto Project
>>>    -------------------------------------------------
>>>    
>>> -We have set up two security-related mailing lists:
>>> +We have set up two security-related emails/mailing lists:
>>>    
>>> -  -  Public List: yocto [dash] security [at] yoctoproject[dot] org
>>> +  -  Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
>>>    
>>> -    This is a public mailing list for anyone to subscribe to. This list is an
>>> -    open list to discuss public security issues/patches and security-related
>>> -    initiatives. For more information, including subscription information,
>>> -    please see the  :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`.
>>> +     This is a public mailing list for anyone to subscribe to. This list is an
>>> +     open list to discuss public security issues/patches and security-related
>>> +     initiatives. For more information, including subscription information,
>>> +     please see the  :yocto_lists:`yocto-security mailing list info page
>>> +     </g/yocto-security>`.
>>>    
>>> -  - Private List: security [at] yoctoproject [dot] org
>>> +     This list requires moderator approval for new topics to be posted, to avoid
>>> +     private security reports to be posted by mistake.
>>>    
>>> -    This is a private mailing list for reporting non-published potential
>>> -    vulnerabilities. The list is monitored by the Yocto Project Security team.
>>> +  -  Yocto Project Security Team: security [at] yoctoproject [dot] org
>>> +
>>> +     This is an email for reporting non-published potential vulnerabilities.
>>> +     Emails sent to this address are forwarded to the Yocto Project Security
>>> +     Team members.
>>>    
>>
>> Matches what Michael said on the ML, so I guess
>>
>> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
>>
>> Please also backport wherever appropriate (maybe we should think about
>> having this under the same mechanism we use for migration manuals so
>> it's never outdated even in old release manuals?).
> 
> I think the idea is good.
> 
> One tricky point is that this is part of the development manual which has been
> split in multiple documents not so long ago, so it wouldn't apply to old
> releases → maybe we should move this out of the development manual and make it a

We can still try to figure out a way to have this similarly implemented 
for older but still supported releases?

> distinct (and more visible) section? What do you think? This is about security,
> not really a development task.
> 

Yes to making it more visible since I assume we want people to not have 
to look too hard on how to report security issues otherwise we may 
either not receive reports or having them reported on the wrong channels.

I guess we can have it amongst the Introduction and Overview section in 
the navigation panel on the left?

I think we should probably add a new section where we say that these 
instructions may be outdated and you should really be double-checking 
against the latest version of this security document (and maybe link to 
e.g. docs.yoctoproject.org/dev/security-whatever)? If we ever change the 
process, we wouldn't want people to misreport because they read the old 
version of the instructions?

Cheers,
Quentin

Re: [docs] [PATCH] dev-manual/security-subjects.rst: update mailing lists

[Antonin Godard]

On Tue Sep 2, 2025 at 10:53 AM CEST, Quentin Schulz via lists.yoctoproject.org wrote:
[...]
>>> Please also backport wherever appropriate (maybe we should think about
>>> having this under the same mechanism we use for migration manuals so
>>> it's never outdated even in old release manuals?).
>> 
>> I think the idea is good.
>> 
>> One tricky point is that this is part of the development manual which has been
>> split in multiple documents not so long ago, so it wouldn't apply to old
>> releases → maybe we should move this out of the development manual and make it a
>
> We can still try to figure out a way to have this similarly implemented 
> for older but still supported releases?

Sure, if you mean walnascar/scarthgap/kirkstone I was planning on backporting
this manually to these branches anyway.

>> distinct (and more visible) section? What do you think? This is about security,
>> not really a development task.
>> 
>
> Yes to making it more visible since I assume we want people to not have 
> to look too hard on how to report security issues otherwise we may 
> either not receive reports or having them reported on the wrong channels.
>
> I guess we can have it amongst the Introduction and Overview section in 
> the navigation panel on the left?
>
> I think we should probably add a new section where we say that these 
> instructions may be outdated and you should really be double-checking 
> against the latest version of this security document (and maybe link to 
> e.g. docs.yoctoproject.org/dev/security-whatever)? If we ever change the 
> process, we wouldn't want people to misreport because they read the old 
> version of the instructions?

Yes, those are all valid points. I think it should show up on the navigation
panel. I'll try to come up with something. :)

Thanks,
Antonin

-- 
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com