[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190719084215.GA24691@openwall.com>
Date: Fri, 19 Jul 2019 10:42:15 +0200
From: Solar Designer <solar@...nwall.com>
To: Kees Cook <keescook@...omium.org>
Cc: Sasha Levin <sashal@...nel.org>, corbet@....net, will@...nel.org,
peterz@...radead.org, gregkh@...uxfoundation.org,
tyhicks@...onical.com, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros
On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote:
> On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > > Provide more information about how to interact with the linux-distros
> > > > mailing list for disclosing security bugs.
> > > >
> > > > Reference the linux-distros list policy and clarify that the reporter
> > > > must read and understand those policies as they differ from
> > > > security@...nel.org's policy.
> > > >
> > > > Suggested-by: Solar Designer <solar@...nwall.com>
> > > > Signed-off-by: Sasha Levin <sashal@...nel.org>
> > >
> > > Sorry, but NACK, see below...
I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then
I suggest that we apply Sasha's first revision of the patch instead.
I think either revision is an improvement on the status quo.
> I think reinforcing information to avoid past mistakes is appropriate
> here.
Maybe, but from my perspective common past issues with Linux kernel bugs
reported to linux-distros were:
- The reporter having been directed to post from elsewhere (and I
suspect this documentation file) without being aware of list policy.
- The reporter not mentioning (and sometimes not replying even when
asked) whether they're also coordinating with security@k.o or whether
they want someone on linux-distros to help coordinate with security@....
(Maybe this is something we want to write about here.)
- The Linux kernel bug having been introduced too recently to be of much
interest to distros.
> Reports have regularly missed the "[vs]" detail or suggested
> embargoes that ended on Fridays, etc.
This happens too. Regarding missing the "[vs]" detail, technically
there are also a number of other conditions that also let the message
through, but those are changing and are deliberately not advertised.
> Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> distros.
Right.
> This has caused leaks in the past
Do you mean leaks to *BSD security teams or to the public? I'm not
aware of past leaks to the public via the non-Linux distros present on
the distros@ list. Are you?
Alexander
Powered by blists - more mailing lists