| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 5 Mar 2023 15:38:21 +0100
From: Vegard Nossum <vegard.nossum@...cle.com>
To: Will Deacon <will@...nel.org>
Cc: Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, Amit Shah <aams@...zon.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
David Woodhouse <dwmw@...zon.co.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Jiri Kosina <jkosina@...e.cz>,
Kees Cook <keescook@...omium.org>,
Laura Abbott <labbott@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Solar Designer <solar@...nwall.com>,
Thomas Gleixner <tglx@...utronix.de>,
Thorsten Leemhuis <linux@...mhuis.info>,
Tyler Hicks <tyhicks@...ux.microsoft.com>,
Willy Tarreau <w@....eu>
Subject: Re: [PATCH v2] Documentation/security-bugs: overhaul
On 6/9/22 16:51, Will Deacon wrote:
> On Tue, Jun 07, 2022 at 03:06:37PM +0200, Vegard Nossum wrote:
>> On 6/7/22 11:07, Will Deacon wrote:
>>> I think there's a semantic change here, and I tend to feel that these sort
>>> of changes would be much easier to review if the semantic changes were done
>>> separately from the reformatting or the addition of entirely new sections.
>>> As it stands, the whole doc is effectively being replaced, but what we
>>> currently have has been tweaked over the years (often as a result of
>>> spirited debate) and I'm keen not to open up some of the issues we had
>>> previously if at all possible.
>>
>> My goal with the rewrite was to clarify the policy for reporters,
>> include the updates to linux-distros policy, and turn the document into
>> more of a step-by-step guide for reporters that corresponds to both what
>> happens in reality and what the "ideal" flow for a security bug report
>> is. It's not my intention here to modify the policy itself.
>
> Oh, for-sure, I'm not trying to suggest there's any malice involved here.
> Rather, my heart sinks at the prospect of reopening old (and, frankly,
> tedious) discussions around the finer details of what is in that doc.
>
>> My impression of the current document is that it's a little bit chaotic
>> and difficult to follow -- perhaps exactly because of tweaking over the
>> years rather than writing for the reader/reporter.
>
> That's a fair criticism, but a straight-up rewrite won't solve that imo; the
> thing will still get tweaked until the next rewrite comes along etc etc
[...]
> What exactly is unreadable with the current doc?
Lots of people have been confused about the 7/14 days of the kernel list
vs. the 7/14 days of the distros list, the fact that these are two
separate groups, etc. Many reporters contact distros first, or submit
their report to both lists at the same time (which has the unfortunate
effect of starting off the disclosure countdown for the distros list
before s@k.o has had a chance to look at the report). I've since shared
the updated doc with a couple of people who submitted reports and they
said they found it a lot clearer.
I've split my changes into a series of 7 patches and reverted some of
the wording back to the original document in the cases where you thought
the original was clearer or the semantics had changed -- will send it
out shortly.
Thanks for your comments so far.
Vegard
Powered by blists - more mailing lists