lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2023100546-unrelated-trekker-320b@gregkh>
Date:   Thu, 5 Oct 2023 10:56:58 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>, workflows@...r.kernel.org,
        linux-doc@...r.kernel.org, Jonathan Corbet <corbet@....net>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] Documentation: embargoed-hardware-issues.rst: Clarify
 prenotifaction

On Tue, Oct 03, 2023 at 05:50:03PM -0700, Kees Cook wrote:
> There has been a repeated misunderstanding about what the hardware embargo
> list is for. Clarify the language in the process so that it is clear
> that only fixes are coordinated. There is explicitly no prenotification
> process. The list members are also expected to keep total radio silence
> during embargoes.
> 
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: workflows@...r.kernel.org
> Cc: linux-doc@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  .../process/embargoed-hardware-issues.rst     | 19 ++++++++++++-------
>  1 file changed, 12 insertions(+), 7 deletions(-)
> 
> diff --git a/Documentation/process/embargoed-hardware-issues.rst b/Documentation/process/embargoed-hardware-issues.rst
> index ac7c52f130c9..31000f075707 100644
> --- a/Documentation/process/embargoed-hardware-issues.rst
> +++ b/Documentation/process/embargoed-hardware-issues.rst
> @@ -25,15 +25,15 @@ Contact
>  The Linux kernel hardware security team is separate from the regular Linux
>  kernel security team.
>  
> -The team only handles the coordination of embargoed hardware security
> -issues.  Reports of pure software security bugs in the Linux kernel are not
> +The team only handles developing fixes for embargoed hardware security
> +issues. Reports of pure software security bugs in the Linux kernel are not
>  handled by this team and the reporter will be guided to contact the regular
>  Linux kernel security team (:ref:`Documentation/admin-guide/
>  <securitybugs>`) instead.
>  
>  The team can be contacted by email at <hardware-security@...nel.org>. This
> -is a private list of security officers who will help you to coordinate an
> -issue according to our documented process.
> +is a private list of security officers who will help you to coordinate a
> +fix according to our documented process.
>  
>  The list is encrypted and email to the list can be sent by either PGP or
>  S/MIME encrypted and must be signed with the reporter's PGP key or S/MIME
> @@ -132,11 +132,11 @@ other hardware could be affected.
>  
>  The hardware security team will provide an incident-specific encrypted
>  mailing-list which will be used for initial discussion with the reporter,
> -further disclosure and coordination.
> +further disclosure, and coordination of fixes.
>  
>  The hardware security team will provide the disclosing party a list of
>  developers (domain experts) who should be informed initially about the
> -issue after confirming with the developers  that they will adhere to this
> +issue after confirming with the developers that they will adhere to this

Nit, whitespace change wasn't documented in the changelog :)

Thanks for this, it matches up with the list rules now much better (that
everyone gets when they join one of these lists), so I'll go apply it to
my tree now.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ