lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190711170732.GB7544@kroah.com>
Date:   Thu, 11 Jul 2019 19:07:32 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Sasha Levin <sashal@...nel.org>
Cc:     corbet@....net, solar@...nwall.com, will@...nel.org,
        keescook@...omium.org, peterz@...radead.org, tyhicks@...onical.com,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Documentation/security-bugs: provide more information
 about linux-distros

On Thu, Jul 11, 2019 at 12:36:37PM -0400, Sasha Levin wrote:
> Provide more information about how to interact with the linux-distros
> mailing list for disclosing security bugs.
> 
> First, clarify that the reporter must read and accept the linux-distros
> policies prior to sending a report.
> 
> Second, clarify that the reported must provide a tentative public
> disclosure date and time in his first contact with linux-distros.
> 
> Suggested-by: Solar Designer <solar@...nwall.com>
> Signed-off-by: Sasha Levin <sashal@...nel.org>
> ---
>  Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++--------
>  1 file changed, 13 insertions(+), 8 deletions(-)
> 
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index dcd6c93c7aac..c62faced9256 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -61,14 +61,19 @@ Coordination
>  
>  Fixes for sensitive bugs, such as those that might lead to privilege
>  escalations, may need to be coordinated with the private
> -<linux-distros@...openwall.org> mailing list so that distribution vendors
> -are well prepared to issue a fixed kernel upon public disclosure of the
> -upstream fix. Distros will need some time to test the proposed patch and
> -will generally request at least a few days of embargo, and vendor update
> -publication prefers to happen Tuesday through Thursday. When appropriate,
> -the security team can assist with this coordination, or the reporter can
> -include linux-distros from the start. In this case, remember to prefix
> -the email Subject line with "[vs]" as described in the linux-distros wiki:
> +<linux-distros@...openwall.org> mailing list so that distribution vendors are
> +well prepared to issue a fixed kernel upon public disclosure of the upstream
> +fix. As a reporter, you must read and accept the list's policy as outlined in
> +the linux-distros wiki:
> +<https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters>.
> +When you report a bug, you must also provide a tentative disclosure date and
> +time in your very first message to the list. Distros will need some time to
> +test the proposed patch so please allow at least a few days of embargo, and
> +vendor update publication prefers to happen Tuesday through Thursday. When
> +appropriate, the security team can assist with this coordination, or the
> +reporter can include linux-distros from the start. In this case, remember to
> +prefix the email Subject line with "[vs]" as described in the linux-distros
> +wiki:
>  <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>

Do we really need to describe all of the information on how to use the
distro list here?  That's why we included the link, as it has all of
this well spelled out and described.  If anything, I would say we should
say less in this document about what linux-distros do, as that is
independent of the Linux security team.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ