lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 15 Feb 2024 18:38:05 +0100 (CET)
From: Jiri Kosina <jikos@...nel.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
cc: corbet@....net, workflows@...r.kernel.org, linux-doc@...r.kernel.org, 
    linux-kernel@...r.kernel.org, security@...nel.org, linux@...mhuis.info, 
    Kees Cook <keescook@...omium.org>, 
    Konstantin Ryabitsev <konstantin@...uxfoundation.org>, 
    Krzysztof Kozlowski <krzk@...nel.org>, 
    Lukas Bulwahn <lukas.bulwahn@...il.com>, Sasha Levin <sashal@...nel.org>, 
    Lee Jones <lee@...nel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE
 process

On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote:

> The Linux kernel project now has the ability to assign CVEs to fixed
> issues, so document the process and how individual developers can get a
> CVE if one is not automatically assigned for their fixes.

There is still one thing that's not clear to me with this new process, and 
that's how embargos are going to be handled.

Currently, the process is broken as well, but at least understood by 
everybody.

- issues are reported to security@...nel.org. No CVE assigned, 7days 
  embargo, then fix gets pushed out

- at some point (in parallel, before, or after the above), the issue gets 
  reported to linux-distros@. CVE gets assigned, and downstreams start 
  integrating the fix (once available) to their codebase.

- embargo is lifted, fixes are released with proper CVE reference

How is the new process going to look like? Please keep in mind that 
linux-stable is (by far!) *not* the only downstream of Linux Kernel 
project.

We've had this discussion in other contexts already, but I whole-heartedly 
believe that it's in no way in the Linux Kernel project's interest to kill 
those other downstreams (read: Linux distros) (*) ... or is it?

(*) just looking at how much those not-basing-on-stable distros are 
    contributing to mainline

Thanks,

-- 
Jiri Kosina
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ