lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200713112445.GJ34333@vkoul-mobl>
Date:   Mon, 13 Jul 2020 16:54:45 +0530
From:   Vinod Koul <vkoul@...nel.org>
To:     Greg KH <greg@...ah.com>
Cc:     "Alexander A. Klimov" <grandmaster@...klimov.de>,
        chenyu56@...wei.com, wangbinghui@...ilicon.com, kishon@...com,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] USB IP DRIVER FOR HISILICON KIRIN: Replace HTTP links
 with HTTPS ones

On 10-07-20, 09:06, Greg KH wrote:
> On Thu, Jul 09, 2020 at 11:09:33PM +0200, Alexander A. Klimov wrote:
> > Rationale:
> > Reduces attack surface on kernel devs opening the links for MITM
> > as HTTPS traffic is much harder to manipulate.
> > 
> > Deterministic algorithm:
> > For each file:
> >   If not .svg:
> >     For each line:
> >       If doesn't contain `\bxmlns\b`:
> >         For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
> > 	  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
> >             If both the HTTP and HTTPS versions
> >             return 200 OK and serve the same content:
> >               Replace HTTP with HTTPS.
> > 
> > Signed-off-by: Alexander A. Klimov <grandmaster@...klimov.de>
> > ---
> >  Continuing my work started at 93431e0607e5.
> >  See also: git log --oneline '--author=Alexander A. Klimov <grandmaster@...klimov.de>' v5.7..master
> >  (Actually letting a shell for loop submit all this stuff for me.)
> > 
> >  If there are any URLs to be removed completely or at least not HTTPSified:
> >  Just clearly say so and I'll *undo my change*.
> >  See also: https://lkml.org/lkml/2020/6/27/64
> > 
> >  If there are any valid, but yet not changed URLs:
> >  See: https://lkml.org/lkml/2020/6/26/837
> > 
> >  If you apply the patch, please let me know.
> 
> Again, please fix your subject line.

Is there any rationale for these patches? They replace documentation
link of vendors, am not sure if that is super helpful to kernel devs and
does it really protect :)

-- 
~Vinod

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ