Re: [PATCH v3 0/7] Documentation/security-bugs: overhaul

From: Greg Kroah-Hartman
Date: Mon Mar 06 2023 - 01:42:46 EST


On Mon, Mar 06, 2023 at 07:35:34AM +0100, Willy Tarreau wrote:
> On Mon, Mar 06, 2023 at 07:02:14AM +0100, Greg Kroah-Hartman wrote:
> > Secondly, and the bigger one, I think we should just drop all of the
> > references to linux-distros and oss-security entirely, as those are
> > groups that are outside of our control and interaction and have
> > different rules that we might not agree with. They also just a tiny
> > subset of Linux users and companies and as such do not really reflect
> > the majority of where Linux is used anymore.
>
> I'm wondering if instead they shouldn't just be mentioned as a warning
> about the risk of leak or forced disclosure. We know that reporters may
> find the address from various places, including various sites that may
> enumerate the long list of potential contacts, and not just this doc.
> It can be useful to have just a paragraph warning about the fact that
> oss-sec is public and that linux-distros has this strict disclosure
> policy without consideration for the availability of a fix, in order
> to warn them to only contact such lists once the fix is available and
> tested if they want to, but never before. Anything we can do to help
> serious reporters (i.e. those who are really embarrassed with a bug,
> not those who seek a Curiculum Vitae Enhancer) should be done. It's
> always a stressful moment to report a security issue on a project,
> you always fear that you might be doing an irreversible mistake, so
> whatever info we can pass about the risks (or lack of) should be
> welcome I guess.

That's a good idea, if it can be worded in a way that reflects that is
is not any sort of requirement or that it is normal part of our
development process.

thanks,

greg k-h