lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 6 Mar 2023 10:42:22 +0100
From:   Vegard Nossum <vegard.nossum@...cle.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org,
        Jiri Kosina <jkosina@...e.cz>,
        Solar Designer <solar@...nwall.com>,
        Will Deacon <will@...nel.org>, Willy Tarreau <w@....eu>,
        linux-kernel@...r.kernel.org, Amit Shah <aams@...zon.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        Laura Abbott <labbott@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Thorsten Leemhuis <linux@...mhuis.info>,
        Tyler Hicks <tyhicks@...ux.microsoft.com>,
        Security Officers <security@...nel.org>
Subject: Re: [PATCH v3 0/7] Documentation/security-bugs: overhaul


On 3/6/23 07:02, Greg Kroah-Hartman wrote:
> On Sun, Mar 05, 2023 at 11:00:03PM +0100, Vegard Nossum wrote:
>> Lots of people have been confused about the 7/14 days of the kernel list
>> vs. the 7/14 days of the distros list, the fact that these are two
>> separate lists, etc. Many reporters contact distros first, or submit
>> their report to both lists at the same time (which has the unfortunate
>> effect of starting off the disclosure countdown for the distros list
>> before s@k.o has had a chance to look at the report). I've shared the v2
>> document with a couple of people who submitted reports and they said
>> they found it a lot clearer.
>>
>> Probably the easiest way to see the end result of this series is to view the
>> rendered HTML which I've put here:
>> https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html
> 
> Thanks for doing this, it looks much better, but I do have some
> objections with it.
> 
> First off, you didn't cc: the security@k.o group to see if they agree
> with this, any specific reason why?  :)

I did consider it, but thought it was better not to since this is not
a security issue -- but I see it's actually listed in MAINTAINERS (in an
entry I'm changing, no less... *facepalm*)

Added to Cc, beginning of the thread is here:
https://lore.kernel.org/all/20230305220010.20895-1-vegard.nossum@oracle.com/

> Secondly, and the bigger one, I think we should just drop all of the
> references to linux-distros and oss-security entirely, as those are
> groups that are outside of our control and interaction and have
> different rules that we might not agree with.

I find this a strange sentiment. All the major Linux distros have a
presence on the distros list and it remains a valuable resource for
coordination.

I think most of the friction of the past should have been resolved by
the distros list actually updating its rules last year (if not 100%
according to your wishes, at least a good step in that direction), any
remaining problems should hopefully be resolved by improving the
documentation so that issues are not sent to the distros list prematurely.

> They also just a tiny subset of Linux users and companies and as such
> do not really reflect the majority of where Linux is used anymore.
Is the elephant in the room that Android vendors are not rolling out
kernel updates in the 7-14 days given by distros to publicly disclose
the reported issues? If so, then I think this is the real issue here,
and it should be stated outright.

> But overall I like the slimmer size, so perhaps the end result just
> being the first two major sections would be best.  Let me take those
> changes first and we can see how the result looks for now to see if that
> will resolve some of the major issues the security@k.o group have right
> now with reports (i.e. CVE requests, other group's disclosure rules and
> dates).

I personally think it would be a mistake not to include the info about
the other lists, both because I think they have real value (and I do
think they represent Linux kernel users, if not kernel developers) but
also because, as Willy said, people will find the wrong information
elsewhere and submit issues anyway, people are still going to want to
request CVEs (regardless of what you or I think about them), etc.

Anyway, I don't represent s@k.o so I don't decide, I really just want
security for end users and as responsible disclosure as we can hope for.
The patches are out there so feel free to use whatever you want from them.

Thanks for looking it over.


Vegard

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ