lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 4 Jun 2022 01:43:17 +0100
From:   Mauro Carvalho Chehab <mchehab@...nel.org>
To:     Jonathan Corbet <corbet@....net>
Cc:     Vegard Nossum <vegard.nossum@...cle.com>,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        Amit Shah <aams@...zon.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Jiri Kosina <jkosina@...e.cz>,
        Kees Cook <keescook@...omium.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Solar Designer <solar@...nwall.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Thorsten Leemhuis <linux@...mhuis.info>,
        Will Deacon <will@...nel.org>, Willy Tarreau <w@....eu>
Subject: Re: [PATCH] Documentation/security-bugs: overhaul

Em Wed, 01 Jun 2022 10:58:50 -0600
Jonathan Corbet <corbet@....net> escreveu:

> Vegard Nossum <vegard.nossum@...cle.com> writes:
> 
> > The current instructions for reporting security vulnerabilities in the
> > kernel are not clear enough, in particular the process of disclosure
> > and requesting CVEs, and what the roles of the different lists are and
> > how exactly to report to each of them.
> >
> > Let's give this document an overhaul. Goals are stated as a comment at
> > the top of the document itself (these will not appear in the rendered
> > document).  
> 
> OK, some other thoughts...
> 
> [...]
> 
> > +Linux kernel security team at security@...nel.org, henceforth "the
> > +security list". This is a closed list of trusted developers who will
> > +help verify the bug report and develop a patch.
> > +
> > +While the security list is closed, the security team may bring in
> > +extra help from the relevant maintainers to understand and fix the
> > +security vulnerability.
> > +
> > +Note that the main interest of the kernel security list is in getting
> > +bugs fixed; CVE assignment, disclosure to distributions, and public
> > +disclosure happens on different lists with different people.  
> 
> Adding "as described below" or some such might be helpful for readers
> who are mostly interested in those things.  
> 
> > +Here is a quick overview of the various lists:
> > +
> > +.. list-table::
> > +   :widths: 35 10 20 35
> > +   :header-rows: 1
> > +
> > +   * - List address
> > +     - Open?
> > +     - Purpose
> > +     - Members
> > +   * - security@...nel.org
> > +     - Closed
> > +     - Reporting; patch development
> > +     - Trusted kernel developers
> > +   * - linux-distros@...openwall.org
> > +     - Closed
> > +     - Coordination; CVE assignment; patch development, testing, and backporting
> > +     - Linux distribution representatives
> > +   * - oss-security@...ts.openwall.com
> > +     - Public
> > +     - Disclosure
> > +     - General public  
> 
> Please don't use list-table, that's totally unreadable in the plain-text
> format.  How about something like:
> 
>  =============================== ===== ================= ===============
>  List address                    Open? Purpose           Members
>  =============================== ===== ================= ===============
>  security@...nel.org                no Reporting         Trusted kernel
>                                                          developers
>                                        Patch development
>  linux-distros@...openwall.org      no Coordination      Distribution 
>                                                          representatives
>                                        CVE assignment
>                                        Patch development
>                                        Testing
>                                        Backporting
>  oss-security@...ts.openwall.com   yes Disclosure        General public
>  =============================== ===== ================= ===============
> 
> (Note I haven't tried to format this, there's probably an error in there
> somewhere). 

Yeah, I guess the right syntax is something like:

  =============================== ===== ================= ===============
  List address                    Open? Purpose           Members
  ------------------------------- ----- ----------------- ---------------
  security@...nel.org                no Reporting         Trusted kernel
                                                          developers
                                        Patch development
  linux-distros@...openwall.org      no Coordination      Distribution 
                                                          representatives
                                        CVE assignment

                                        Patch development

                                        Testing

                                        Backporting
  oss-security@...ts.openwall.com   yes Disclosure        General public
  =============================== ===== ================= ===============

Regards,
Mauro

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ