Re: [PATCH] Documentation/security-bugs: overhaul
From: Mauro Carvalho Chehab
Date: Fri Jun 03 2022 - 20:43:35 EST
Em Wed, 01 Jun 2022 10:58:50 -0600
Jonathan Corbet <corbet@xxxxxxx> escreveu:
> Vegard Nossum <vegard.nossum@xxxxxxxxxx> writes:
>
> > The current instructions for reporting security vulnerabilities in the
> > kernel are not clear enough, in particular the process of disclosure
> > and requesting CVEs, and what the roles of the different lists are and
> > how exactly to report to each of them.
> >
> > Let's give this document an overhaul. Goals are stated as a comment at
> > the top of the document itself (these will not appear in the rendered
> > document).
>
> OK, some other thoughts...
>
> [...]
>
> > +Linux kernel security team at security@xxxxxxxxxx, henceforth "the
> > +security list". This is a closed list of trusted developers who will
> > +help verify the bug report and develop a patch.
> > +
> > +While the security list is closed, the security team may bring in
> > +extra help from the relevant maintainers to understand and fix the
> > +security vulnerability.
> > +
> > +Note that the main interest of the kernel security list is in getting
> > +bugs fixed; CVE assignment, disclosure to distributions, and public
> > +disclosure happens on different lists with different people.
>
> Adding "as described below" or some such might be helpful for readers
> who are mostly interested in those things.
>
> > +Here is a quick overview of the various lists:
> > +
> > +.. list-table::
> > + :widths: 35 10 20 35
> > + :header-rows: 1
> > +
> > + * - List address
> > + - Open?
> > + - Purpose
> > + - Members
> > + * - security@xxxxxxxxxx
> > + - Closed
> > + - Reporting; patch development
> > + - Trusted kernel developers
> > + * - linux-distros@xxxxxxxxxxxxxxx
> > + - Closed
> > + - Coordination; CVE assignment; patch development, testing, and backporting
> > + - Linux distribution representatives
> > + * - oss-security@xxxxxxxxxxxxxxxxxx
> > + - Public
> > + - Disclosure
> > + - General public
>
> Please don't use list-table, that's totally unreadable in the plain-text
> format. How about something like:
>
> =============================== ===== ================= ===============
> List address Open? Purpose Members
> =============================== ===== ================= ===============
> security@xxxxxxxxxx no Reporting Trusted kernel
> developers
> Patch development
> linux-distros@xxxxxxxxxxxxxxx no Coordination Distribution
> representatives
> CVE assignment
> Patch development
> Testing
> Backporting
> oss-security@xxxxxxxxxxxxxxxxxx yes Disclosure General public
> =============================== ===== ================= ===============
>
> (Note I haven't tried to format this, there's probably an error in there
> somewhere).
Yeah, I guess the right syntax is something like:
=============================== ===== ================= ===============
List address Open? Purpose Members
------------------------------- ----- ----------------- ---------------
security@xxxxxxxxxx no Reporting Trusted kernel
developers
Patch development
linux-distros@xxxxxxxxxxxxxxx no Coordination Distribution
representatives
CVE assignment
Patch development
Testing
Backporting
oss-security@xxxxxxxxxxxxxxxxxx yes Disclosure General public
=============================== ===== ================= ===============
Regards,
Mauro