| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aS3-xTM5NvYLNEM9@gmail.com>
Date: Mon, 1 Dec 2025 21:47:01 +0100
From: Ingo Molnar <mingo@...nel.org>
To: Willy Tarreau <w@....eu>
Cc: Jonathan Corbet <corbet@....net>,
Security Officers <security@...nel.org>, gregkh@...uxfoundation.org,
kees@...nel.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Documentation: insist on the plain-text requirement for
security reports
* Willy Tarreau <w@....eu> wrote:
> As the trend of AI-generated reports is growing, the trend of unreadable
> reports in gimmicky formats is following, and we cannot request that
> developers rely on online viewers to be able to read a security report
> full for formatting tags. Let's just insist on the plain text requirement
> a bit more.
>
> Signed-off-by: Willy Tarreau <w@....eu>
> ---
> Documentation/process/security-bugs.rst | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index 84657e7d2e5b..c0cf93e11565 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -33,12 +33,16 @@ that can speed up the process considerably. It is possible that the
> security team will bring in extra help from area maintainers to
> understand and fix the security vulnerability.
>
> -Please send plain text emails without attachments where possible.
> +Please send **plain text** emails without attachments where possible.
So maybe part of the confusion is that this sentence
can be read permissively, depending how the 'where
possible' qualifier is interpreted:
Please send plain text emails without attachments,
where possible.
Note how "it's not possible because my report is in
PDF" seems to allow for that in the permissive reading.
What that sentence should really say is something like:
Please send plain text emails only. Please do not
include any attachments, where possible.
This makes it clear that only plain text emails are
acceptable.
Ie. something like the patch below?
Thanks,
Ingo
============================================>
Signed-off-by: Ingo Molnar <mingo@...nel.org>
Documentation/process/security-bugs.rst | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 84657e7d2e5b..4a76928a700e 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -33,12 +33,16 @@ that can speed up the process considerably. It is possible that the
security team will bring in extra help from area maintainers to
understand and fix the security vulnerability.
-Please send plain text emails without attachments where possible.
-It is much harder to have a context-quoted discussion about a complex
-issue if all the details are hidden away in attachments. Think of it like a
-:doc:`regular patch submission <../process/submitting-patches>`
+Please send **plain text** emails only. Please do not include any
+attachments, where possible. It is much harder to have a context-quoted
+discussion about a complex issue if all the details are hidden away
+in attachments. Think of it like a :doc:`regular patch submission <../process/submitting-patches>`
(even if you don't have a patch yet): describe the problem and impact, list
reproduction steps, and follow it with a proposed fix, all in plain text.
+Markdown, HTML and RST formatted reports are particularly frowned upon since
+they're quite hard to read for humans and encourage to use dedicated viewers,
+sometimes online, which by definition is not acceptable for a confidential
+security report.
Disclosure and embargoed information
------------------------------------
Powered by blists - more mailing lists