Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Kees Cook]

On Fri, Jul 19, 2019 at 10:42:15AM +0200, Solar Designer wrote:
> - The reporter having been directed to post from elsewhere (and I
> suspect this documentation file) without being aware of list policy.

Perhaps specify "linux-distros@" without a domain, so it's more clear?
Or re-split the Wiki into two pages to avoid confusion?

> - The reporter not mentioning (and sometimes not replying even when
> asked) whether they're also coordinating with security@xxx or whether
> they want someone on linux-distros to help coordinate with security@xxxx
> (Maybe this is something we want to write about here.)

Yeah, that seems useful to include in both places.

> - The Linux kernel bug having been introduced too recently to be of much
> interest to distros.

Right; that'd be good to add as well. I see a lot of panic on twitter,
for example, about bugs that only ever existed in -rc releases.

> > Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> > distros.
> 
> Right.
> 
> > This has caused leaks in the past
> 
> Do you mean leaks to *BSD security teams or to the public?  I'm not
> aware of past leaks to the public via the non-Linux distros present on
> the distros@ list.  Are you?

I don't know the origin of the leaks, but it only happened when distros@
was used instead of linux-distros@. I think this happened with DirtyCOW,
specifically.

-- 
Kees Cook