lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 18 Jul 2019 18:51:07 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Sasha Levin <sashal@...nel.org>
Cc:     corbet@....net, solar@...nwall.com, will@...nel.org,
        peterz@...radead.org, gregkh@...uxfoundation.org,
        tyhicks@...onical.com, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information
 about linux-distros

On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > Provide more information about how to interact with the linux-distros
> > > mailing list for disclosing security bugs.
> > > 
> > > Reference the linux-distros list policy and clarify that the reporter
> > > must read and understand those policies as they differ from
> > > security@...nel.org's policy.
> > > 
> > > Suggested-by: Solar Designer <solar@...nwall.com>
> > > Signed-off-by: Sasha Levin <sashal@...nel.org>
> > 
> > Sorry, but NACK, see below...
> > 
> > > ---
> > > 
> > > Changes in v2:
> > >  - Focus more on pointing to the linux-distros wiki and policies.
> > 
> > I think this is already happening in the text. What specifically do you
> > want described differently?
> 
> The main issue was that there isn't anything pointing to the
> linux-distros policies. The current text outlines a few of them ("add
> [vs]", and "there should be an embargo period"), but it effectively just
> gives out the linux-distros mailing address and tells the reporter to
> contact it.

The current text includes the wiki link, but yes, the anchor tag is not
present at the wiki anymore. I would agree that's due for updating.

I think reinforcing information to avoid past mistakes is appropriate
here. Reports have regularly missed the "[vs]" detail or suggested
embargoes that ended on Fridays, etc.

> > >  - Remove explicit linux-distros email.
> > 
> > I don't like this because we had past trouble with notifications going
> > to the distros@ list and leaking Linux-only flaws to the BSDs. As there
> > isn't a separate linux-distros wiki, the clarification of WHICH list is
> > needed.
> 
> Why would removing the explicit linux-distros email encourage people to
> send reports to it?

What? No, I'm saying we should _keep_ linux-distros@... in our text so
that people don't send to the wrong list.

> I also don't understand what you mean by "there isn't a separate
> linux-distros wiki"? There is one, and I want to point the reporter
> there.

That URL is a combined page for two lists. The very fact that it's
not obvious that there are two lists described there is exactly why I
think we need to keep an explicit mention of which to use. There are
two mailing lists described at the wiki URL:

	      distros@...ts.openwall.com
	linux-distros@...ts.openwall.com

Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
distros. This has caused leaks in the past, and we do not want people
guessing at which list they should use.

Also note that nowhere on the openwall wiki is the email address
actually spelled out; this is another reason to spell it out in our
documentation: no misunderstanding.

(And historically there WAS a specific linux-distros wiki:
https://oss-security.openwall.org/wiki/mailing-lists/linux-distros
but it redirects to the combined one now...)

> > >  - Remove various explanations of linux-distros policies.
> > 
> > I don't think there's value in removing the Tue-Thu comment, nor
> > providing context for why distros need time. This has been a regular
> > thing we've had to explain to researchers that aren't familiar with
> > update procedures and publication timing.
> 
> To be fair, the Tue-Thu comment is listed in the section describing how
> to do coordination with linux-distros, and linux-distros don't have a
> Tue-Thu policy. If it's a security@...nel.org policy then let's list it
> elsewhere.

It's a distro preference. Many researchers aren't thinking about the
larger Linux ecosystem that has to consume fixes. It's not a _policy_,
but it makes the researchers understand how to construct better embargoes.

> If you feel that there is a consensus around Tue-Thu let's just add it
> to the linux-distros policy wiki, there's no point in listing random
> policies from that wiki.

I think it'd be a good idea to add that note also to the wiki, but I
don't want it removed from our text because I have had to repeat that
information regularly in the past.

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ