lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190719084215.GA24691@openwall.com>
Date:   Fri, 19 Jul 2019 10:42:15 +0200
From:   Solar Designer <solar@...nwall.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Sasha Levin <sashal@...nel.org>, corbet@....net, will@...nel.org,
        peterz@...radead.org, gregkh@...uxfoundation.org,
        tyhicks@...onical.com, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote:
> On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > > Provide more information about how to interact with the linux-distros
> > > > mailing list for disclosing security bugs.
> > > > 
> > > > Reference the linux-distros list policy and clarify that the reporter
> > > > must read and understand those policies as they differ from
> > > > security@...nel.org's policy.
> > > > 
> > > > Suggested-by: Solar Designer <solar@...nwall.com>
> > > > Signed-off-by: Sasha Levin <sashal@...nel.org>
> > > 
> > > Sorry, but NACK, see below...

I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then
I suggest that we apply Sasha's first revision of the patch instead.
I think either revision is an improvement on the status quo.

> I think reinforcing information to avoid past mistakes is appropriate
> here.

Maybe, but from my perspective common past issues with Linux kernel bugs
reported to linux-distros were:

- The reporter having been directed to post from elsewhere (and I
suspect this documentation file) without being aware of list policy.

- The reporter not mentioning (and sometimes not replying even when
asked) whether they're also coordinating with security@k.o or whether
they want someone on linux-distros to help coordinate with security@....
(Maybe this is something we want to write about here.)

- The Linux kernel bug having been introduced too recently to be of much
interest to distros.

> Reports have regularly missed the "[vs]" detail or suggested
> embargoes that ended on Fridays, etc.

This happens too.  Regarding missing the "[vs]" detail, technically
there are also a number of other conditions that also let the message
through, but those are changing and are deliberately not advertised.

> Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> distros.

Right.

> This has caused leaks in the past

Do you mean leaks to *BSD security teams or to the public?  I'm not
aware of past leaks to the public via the non-Linux distros present on
the distros@ list.  Are you?

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ