Re: [PATCH v2] Documentation/security-bugs: overhaul
From: Jiri Kosina
Date: Mon Jun 06 2022 - 17:31:31 EST
On Mon, 6 Jun 2022, Vegard Nossum wrote:
> The current instructions for reporting security vulnerabilities in the
> kernel are not clear enough, in particular the process of disclosure
> and requesting CVEs, and what the roles of the different lists are and
> how exactly to report to each of them.
>
> Let's give this document an overhaul. Goals are stated as a comment at
> the bottom of the document; these will not appear in the rendered HTML
> document.
>
> v2: address feedback from Willy Tarreau and Jonathan Corbet
>
> Link: https://seclists.org/oss-sec/2022/q2/133
> Cc: Amit Shah <aams@xxxxxxxxxx>
> Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> Cc: David Woodhouse <dwmw@xxxxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
> Cc: Jiri Kosina <jkosina@xxxxxxx>
> Cc: Jonathan Corbet <corbet@xxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Laura Abbott <labbott@xxxxxxxxxx>
> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Solar Designer <solar@xxxxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Thorsten Leemhuis <linux@xxxxxxxxxxxxx>
> Cc: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
> Cc: Will Deacon <will@xxxxxxxxxx>
> Cc: Willy Tarreau <w@xxxxxx>
> Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
> ---
> Documentation/admin-guide/security-bugs.rst | 252 +++++++++++++-------
> 1 file changed, 167 insertions(+), 85 deletions(-)
>
> v1 thread:
> https://lore.kernel.org/all/20220531230309.9290-1-vegard.nossum@xxxxxxxxxx/T/#u
>
> Updated rendered HTML:
> https://vegard.github.io/security/Documentation/output/admin-guide/security-bugs-v2.html
>
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index 82e29837d5898..c63eeb1e89ffd 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
Thanks for investing time into fixing this aged document.
Two rather minor things come to my mind, but as you are touching that
document anyway ...
- what sense does it make to have embargoed-hardware-issues.rst and
security-bugs.rst live in different Documentation/ subdirectories
(admin-guide/ vs process/)? It'd seem to make sense to me to have them
in one common place?
- would it make sense to briefly reference embargoed-hardware-issues.rst
somewhere in this text, to make the distinction as obvious as possible?
It's referenced the other way around.
Thanks,
--
Jiri Kosina
SUSE Labs