Re: [PATCH v2] Documentation/security-bugs: overhaul
From: Will Deacon
Date: Tue Jun 07 2022 - 05:07:48 EST
Hi,
On Mon, Jun 06, 2022 at 09:48:50PM +0200, Vegard Nossum wrote:
> The current instructions for reporting security vulnerabilities in the
> kernel are not clear enough, in particular the process of disclosure
> and requesting CVEs, and what the roles of the different lists are and
> how exactly to report to each of them.
>
> Let's give this document an overhaul. Goals are stated as a comment at
> the bottom of the document; these will not appear in the rendered HTML
> document.
>
> v2: address feedback from Willy Tarreau and Jonathan Corbet
>
> Link: https://seclists.org/oss-sec/2022/q2/133
> Cc: Amit Shah <aams@xxxxxxxxxx>
> Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> Cc: David Woodhouse <dwmw@xxxxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
> Cc: Jiri Kosina <jkosina@xxxxxxx>
> Cc: Jonathan Corbet <corbet@xxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Laura Abbott <labbott@xxxxxxxxxx>
> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Solar Designer <solar@xxxxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Thorsten Leemhuis <linux@xxxxxxxxxxxxx>
> Cc: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
> Cc: Will Deacon <will@xxxxxxxxxx>
> Cc: Willy Tarreau <w@xxxxxx>
> Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
> ---
> Documentation/admin-guide/security-bugs.rst | 252 +++++++++++++-------
> 1 file changed, 167 insertions(+), 85 deletions(-)
>
> v1 thread:
> https://lore.kernel.org/all/20220531230309.9290-1-vegard.nossum@xxxxxxxxxx/T/#u
>
> Updated rendered HTML:
> https://vegard.github.io/security/Documentation/output/admin-guide/security-bugs-v2.html
>
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index 82e29837d5898..c63eeb1e89ffd 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -1,96 +1,178 @@
> +
> .. _securitybugs:
>
> -Security bugs
> -=============
> +Reporting security bugs
> +=======================
>
> Linux kernel developers take security very seriously. As such, we'd
> like to know when a security bug is found so that it can be fixed and
> disclosed as quickly as possible. Please report security bugs to the
> -Linux kernel security team.
> -
> -Contact
> --------
> -
> -The Linux kernel security team can be contacted by email at
> -<security@xxxxxxxxxx>. This is a private list of security officers
> -who will help verify the bug report and develop and release a fix.
> -If you already have a fix, please include it with your report, as
> -that can speed up the process considerably. It is possible that the
> -security team will bring in extra help from area maintainers to
> -understand and fix the security vulnerability.
> -
> -As it is with any bug, the more information provided the easier it
> -will be to diagnose and fix. Please review the procedure outlined in
> -'Documentation/admin-guide/reporting-issues.rst' if you are unclear about what
> -information is helpful. Any exploit code is very helpful and will not
> -be released without consent from the reporter unless it has already been
> -made public.
> -
> -Please send plain text emails without attachments where possible.
> -It is much harder to have a context-quoted discussion about a complex
> -issue if all the details are hidden away in attachments. Think of it like a
> -:doc:`regular patch submission <../process/submitting-patches>`
> -(even if you don't have a patch yet): describe the problem and impact, list
> +Linux kernel security team at security@xxxxxxxxxx, henceforth "the
> +security list". This is a closed list of trusted developers who will
> +help verify the bug report and develop a patch in case none was already
> +proposed.
> +
> +While the security list is closed, the security team may bring in
> +extra help from the relevant maintainers to understand and fix the
> +security vulnerability.
> +
> +Note that the main interest of the kernel security list is in getting
> +bugs fixed and getting patches reviewed, tested, and merged; CVE
> +assignment, disclosure to distributions, and public disclosure happen
> +on different lists with different people, as described below.
> +
> +Here is a quick overview of the various lists:
> +
> + =============================== ===== =================== ===============
> + List address Open? Purpose Members
> + =============================== ===== =================== ===============
> + security@xxxxxxxxxx no | Reporting Trusted kernel
> + | Patch development developers
> + ------------------------------- ----- ------------------- ---------------
> + linux-distros@xxxxxxxxxxxxxxx no | Coordination Distribution
> + | CVE assignment representatives
> + | Backporting
> + | Testing
> + ------------------------------- ----- ------------------- ---------------
> + oss-security@xxxxxxxxxxxxxxxxxx yes | Disclosure General public
> + =============================== ===== =================== ===============
> +
> +The following sections give a step-by-step guide to reporting and
> +disclosure.
> +
> +Contacting the security list
> +----------------------------
> +
> +As it is with any bug, the more information provided the easier it will
> +be to diagnose and fix; please review the procedure outlined in
> +Documentation/admin-guide/reporting-issues.rst if you are unclear about
> +what information is helpful. Any exploit code is very helpful and will
> +not be released without consent from the reporter unless it has already
> +been made public. Reporters are encouraged to propose patches, participate
> +in the discussions of a fix, and test patches.
> +
> +The security team does not assign CVEs, nor does it require them
> +for reports or fixes. CVEs may be requested when the issue is reported to
> +the linux-distros list.
> +
> +**Disclosure.** The security list strongly prefers to have patches posted
> +for review and testing on public mailing lists and and merged into the
typo: "and and"
> +appropriate public git repository as soon as they become available.
> +However, in exceptional cases, you or an affected party may request that
> +the patch be withheld for some days; as a rule, the maximum is 7 days.
> +Only in truly exceptional cases will the security list consider deferring
> +the publication of a fix beyond this, and the only valid reason for doing
> +so would be to accommodate the logistics of QA and large scale rollouts
> +that require release coordination.
I think there's a semantic change here, and I tend to feel that these sort
of changes would be much easier to review if the semantic changes were done
separately from the reformatting or the addition of entirely new sections.
As it stands, the whole doc is effectively being replaced, but what we
currently have has been tweaked over the years (often as a result of
spirited debate) and I'm keen not to open up some of the issues we had
previously if at all possible.
Case in point: the new text above removes both the mention of "calendar
days" which is a useful disambiguation as well as removing the "extension
to 14 calendar days" which is a useful upper bound. Why are you removing
these?
You have also removed use of the term "robust fix", which I think was
useful. That is, security@ isn't going to post a broken patch to the public
list just because it's been available for 7 days; that period should only
begin (if it is even needed) once the fix is ready to go.
Thanks,
Will