Re: [PATCH v2 2/3] Documentation: explain how to find maintainers addresses for security reports

[Willy Tarreau]

On Fri, Apr 03, 2026 at 08:48:56AM -0700, Kees Cook wrote:
> On Fri, Apr 03, 2026 at 08:20:17AM +0200, Willy Tarreau wrote:
> > [...]
> > +One difficulty for most first-time reporters is to figure the right list of
> > +recipients to send a report to.  In the Linux kernel, all official maintainers
> > +are trusted, so the consequences of accidentally including the wrong maintainer
> > +are essentially a bit more noise for that person, i.e. nothing dramatic.  As
> 
> Yeah, this is the central point: we already trust maintainers; there is
> nothing "special" about security@xxxxxxxxxx.

Yep!

> > [...]
> > +single line suitable for use in the To: field of a mailer like this::
> > +
> > +  $ ./scripts/get_maintainer.pl --no-tree --no-l --no-r --no-n --m \
> > +    --no-git-fallback --no-substatus --no-rolestats --no-multiline \
> > +    --pattern-depth 1 drivers/example.c
> > +  dev1@xxxxxxxxxxx, dev2@xxxxxxxxxxx
> 
> To echo Greg, yeah, this is great, and has been an implicit action we've
> done for years, so there's every reason to delegate it to the reporter
> to avoid the round-trip.

Thanks!

> Though I guess we'll see if these new instructions actually change
> anything -- we still have people asking for CVE assignments. :P

I think it will move a little bit, because AI bots read this, so the
annoying ones who used to send us reports they didn't read will make
better ones. We've seen improvements already over the last two months,
with more plain text and less copy-pasted markdown. But maybe the MD
wasn't emitted in the first place. It's also true that the reports
quality has improved and now the tools are used by some experienced
people (but not just them yet). Anyway, we'll see. Now we have just
a link to copy-paste in return, we'll see how it evolves.

Cheers,
Willy