Re: [PATCH v2 2/3] Documentation: explain how to find maintainers addresses for security reports

Next message: guibing: "Re: [BUG] riscv: Kernel panic in free_initmem when driver triggers modprobe"
Previous message: Ovidiu Panait: "RE: [PATCH net] net: phy: micrel: Fix MMD register access during SPD in ksz9131_resume()"
In reply to: Willy Tarreau: "[PATCH v2 2/3] Documentation: explain how to find maintainers addresses for security reports"
Next in thread: Willy Tarreau: "Re: [PATCH v2 2/3] Documentation: explain how to find maintainers addresses for security reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kees Cook

Date: Fri Apr 03 2026 - 11:51:27 EST

On Fri, Apr 03, 2026 at 08:20:17AM +0200, Willy Tarreau wrote:
> [...]
> +One difficulty for most first-time reporters is to figure the right list of
> +recipients to send a report to. In the Linux kernel, all official maintainers
> +are trusted, so the consequences of accidentally including the wrong maintainer
> +are essentially a bit more noise for that person, i.e. nothing dramatic. As

Yeah, this is the central point: we already trust maintainers; there is
nothing "special" about security@xxxxxxxxxx.

> [...]
> +single line suitable for use in the To: field of a mailer like this::
> +
> + $ ./scripts/get_maintainer.pl --no-tree --no-l --no-r --no-n --m \
> + --no-git-fallback --no-substatus --no-rolestats --no-multiline \
> + --pattern-depth 1 drivers/example.c
> + dev1@xxxxxxxxxxx, dev2@xxxxxxxxxxx

To echo Greg, yeah, this is great, and has been an implicit action we've
done for years, so there's every reason to delegate it to the reporter
to avoid the round-trip.

Though I guess we'll see if these new instructions actually change
anything -- we still have people asking for CVE assignments. :P

Reviewed-by: Kees Cook <kees@xxxxxxxxxx>

--
Kees Cook