Re: Proper procedure for reporting possible security vulnerabilities?

From: Indrek Kruusa
Date: Mon Jan 10 2005 - 16:46:36 EST

Next message: Jason Gaston: "[PATCH] pci_ids.h correction for Intel ICH7 - 2.6.10-bk13"
Previous message: Nishanth Aravamudan: "[UPDATE PATCH] cdrom/sonycd535: replace schedule_timeout() with msleep()"
In reply to: Florian Weimer: "Re: Proper procedure for reporting possible security vulnerabilities?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Horst von Brand wrote:

Indrek Kruusa <indrek.kruusa@xxxxxxxxxxx> said:

Steve Bergman wrote:

There seems to be some confusion in certain quarters as to the proper procedure for reporting possible kernel security issues. REPORTING-BUGS says send bug reports to the maintainer of that area of the kernel.

Unfortunately my english is not on a par with this but this document *needs* updating at every corner and after that the direct hyperlink to this document on the kernel.org should be placed above links of the kernel source (currently it is somewhere at the middle of the page). And the note "please read before using vanilla kernel" should be in red. It *seems* to me that there is a big cap between reality and this document/common sense (in the days of heavily patched kernels and 2.6 devel. model). There should be several separate parts in this document: for kernel developers, for distro makers, for "smart" users, for "enthusiasts"....

Write something up, I'd be happy to help polishing English. And you'll find
more helpers on LKML.

sorry, but... yes, it was meant as "I am ready to help" :) but definitely I am not the right person to start to change this document. I can assist as linux user who need some information about bug reporting and how/why I should use sources from kernel.org at all. I have no idea what is desired by kernel developers (obviously they need good reports from informed users and less annoying traffic in LKML...maybe this letter is similar, sorry) but I have seen that those old school enthusiasts who are going to compile their custom kernel after every new release or -ac - they are not happy 'cause something which was part of their life (faster, smaller and maybe safer custom system) is now quite hard to achieve. Explanation would be nice for them, maybe even in kernel README.

thanks,
Indrek

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jason Gaston: "[PATCH] pci_ids.h correction for Intel ICH7 - 2.6.10-bk13"
Previous message: Nishanth Aravamudan: "[UPDATE PATCH] cdrom/sonycd535: replace schedule_timeout() with msleep()"
In reply to: Florian Weimer: "Re: Proper procedure for reporting possible security vulnerabilities?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]