Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

From: Solar Designer
Date: Fri Jul 19 2019 - 04:42:28 EST

Next message: Michal Hocko: "Re: [PATCH v1] drivers/base/node.c: Simplify unregister_memory_block_under_nodes()"
Previous message: James Morse: "Re: [PATCH 3/3] arm64: debug: Remove rcu_read_lock from debug exception"
In reply to: Sasha Levin: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Next in thread: Kees Cook: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote:
> On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > > Provide more information about how to interact with the linux-distros
> > > > mailing list for disclosing security bugs.
> > > >
> > > > Reference the linux-distros list policy and clarify that the reporter
> > > > must read and understand those policies as they differ from
> > > > security@xxxxxxxxxx's policy.
> > > >
> > > > Suggested-by: Solar Designer <solar@xxxxxxxxxxxx>
> > > > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> > >
> > > Sorry, but NACK, see below...

I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then
I suggest that we apply Sasha's first revision of the patch instead.
I think either revision is an improvement on the status quo.

> I think reinforcing information to avoid past mistakes is appropriate
> here.

Maybe, but from my perspective common past issues with Linux kernel bugs
reported to linux-distros were:

- The reporter having been directed to post from elsewhere (and I
suspect this documentation file) without being aware of list policy.

- The reporter not mentioning (and sometimes not replying even when
asked) whether they're also coordinating with security@xxx or whether
they want someone on linux-distros to help coordinate with security@xxxx
(Maybe this is something we want to write about here.)

- The Linux kernel bug having been introduced too recently to be of much
interest to distros.

> Reports have regularly missed the "[vs]" detail or suggested
> embargoes that ended on Fridays, etc.

This happens too. Regarding missing the "[vs]" detail, technically
there are also a number of other conditions that also let the message
through, but those are changing and are deliberately not advertised.

> Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> distros.

Right.

> This has caused leaks in the past

Do you mean leaks to *BSD security teams or to the public? I'm not
aware of past leaks to the public via the non-Linux distros present on
the distros@ list. Are you?

Alexander

Next message: Michal Hocko: "Re: [PATCH v1] drivers/base/node.c: Simplify unregister_memory_block_under_nodes()"
Previous message: James Morse: "Re: [PATCH 3/3] arm64: debug: Remove rcu_read_lock from debug exception"
In reply to: Sasha Levin: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Next in thread: Kees Cook: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]