lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251203145845.GB11908@1wt.eu>
Date: Wed, 3 Dec 2025 15:58:45 +0100
From: Willy Tarreau <w@....eu>
To: Kees Cook <kees@...nel.org>
Cc: Jonathan Corbet <corbet@....net>, Security Officers <security@...nel.org>,
        gregkh@...uxfoundation.org, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Documentation: insist on the plain-text requirement for
 security reports

On Wed, Dec 03, 2025 at 06:40:38AM -0800, Kees Cook wrote:
> >+Markdown, HTML and RST formatted reports are particularly frowned upon since
> >+they're quite hard to read for humans and encourage to use dedicated viewers,
> >+sometimes online, which by definition is not acceptable for a confidential
> >+security report.
> 
> HTML sure. But why discourage .md and .rst? Markdown is pretty well the
> defacto "human readable" markup format and our own kernel documentation is
> .rst. Those are good for seeing code snippets, etc.

Quite frankly, have you tried to read the latest reports ? They're full
of "**" everywhere with no spacing nor indent at all, it's particularly
hard to find the relevant information in them. It's super tempting to
copy-paste them to the plenty of online viewers to render them correctly,
except we'd rather not do that for obvious reasons. And when you start
to discuss it gets even worse with ``` formating tags isolated between
quoted paragraphs and no longer being relevant.

And let's be honest, these ones are close to 100% of the time generated
by AI tools which are almost unable to produce anything else anymore by
default because that's what they're using to interact with the chatbot's
UI. If at least that forces those seeking a CVE number to actually *read*
what their favorite AI bot produced, it will be a huge gain for everyone.
Right now I'm really ashamed to forward AI-generated garbage to subsystem
maintainers just in case there would be anything valid despite the format
already strongly hinting otherwise.

> I would call out PDF and ZIP instead. We especially don't want _binary_
> formats.

IMHO we don't want useless nor hard-to-exploit reports in the first
place, and to date I don't remember seeing a really valid and
immediately actionable one using such decorations, since they were
not written by the reporters.

Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ