| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Jun 2022 23:31:19 +0200 (CEST)
From: Jiri Kosina <jikos@...nel.org>
To: Vegard Nossum <vegard.nossum@...cle.com>
cc: Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, Amit Shah <aams@...zon.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
David Woodhouse <dwmw@...zon.co.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Kees Cook <keescook@...omium.org>,
Laura Abbott <labbott@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Solar Designer <solar@...nwall.com>,
Thomas Gleixner <tglx@...utronix.de>,
Thorsten Leemhuis <linux@...mhuis.info>,
Tyler Hicks <tyhicks@...ux.microsoft.com>,
Will Deacon <will@...nel.org>, Willy Tarreau <w@....eu>
Subject: Re: [PATCH v2] Documentation/security-bugs: overhaul
On Mon, 6 Jun 2022, Vegard Nossum wrote:
> The current instructions for reporting security vulnerabilities in the
> kernel are not clear enough, in particular the process of disclosure
> and requesting CVEs, and what the roles of the different lists are and
> how exactly to report to each of them.
>
> Let's give this document an overhaul. Goals are stated as a comment at
> the bottom of the document; these will not appear in the rendered HTML
> document.
>
> v2: address feedback from Willy Tarreau and Jonathan Corbet
>
> Link: https://seclists.org/oss-sec/2022/q2/133
> Cc: Amit Shah <aams@...zon.com>
> Cc: Dave Hansen <dave.hansen@...ux.intel.com>
> Cc: David Woodhouse <dwmw@...zon.co.uk>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: Gustavo A. R. Silva <gustavoars@...nel.org>
> Cc: Jiri Kosina <jkosina@...e.cz>
> Cc: Jonathan Corbet <corbet@....net>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Laura Abbott <labbott@...nel.org>
> Cc: Linus Torvalds <torvalds@...ux-foundation.org>
> Cc: Mauro Carvalho Chehab <mchehab@...nel.org>
> Cc: Paolo Bonzini <pbonzini@...hat.com>
> Cc: Peter Zijlstra <peterz@...radead.org>
> Cc: Solar Designer <solar@...nwall.com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Thorsten Leemhuis <linux@...mhuis.info>
> Cc: Tyler Hicks <tyhicks@...ux.microsoft.com>
> Cc: Will Deacon <will@...nel.org>
> Cc: Willy Tarreau <w@....eu>
> Signed-off-by: Vegard Nossum <vegard.nossum@...cle.com>
> ---
> Documentation/admin-guide/security-bugs.rst | 252 +++++++++++++-------
> 1 file changed, 167 insertions(+), 85 deletions(-)
>
> v1 thread:
> https://lore.kernel.org/all/20220531230309.9290-1-vegard.nossum@oracle.com/T/#u
>
> Updated rendered HTML:
> https://vegard.github.io/security/Documentation/output/admin-guide/security-bugs-v2.html
>
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index 82e29837d5898..c63eeb1e89ffd 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
Thanks for investing time into fixing this aged document.
Two rather minor things come to my mind, but as you are touching that
document anyway ...
- what sense does it make to have embargoed-hardware-issues.rst and
security-bugs.rst live in different Documentation/ subdirectories
(admin-guide/ vs process/)? It'd seem to make sense to me to have them
in one common place?
- would it make sense to briefly reference embargoed-hardware-issues.rst
somewhere in this text, to make the distinction as obvious as possible?
It's referenced the other way around.
Thanks,
--
Jiri Kosina
SUSE Labs
Powered by blists - more mailing lists