Re: [PATCH v3 2/3] Documentation: security-bugs: explain what is and is not a security bug

Next message: David Laight: "Re: [PATCH v2] crypto: ecc - Fix carry overflow in vli multiplication"
Previous message: Andrew Jones: "[PATCH] kconfig: add kconfig-sym-check static checker"
In reply to: Willy Tarreau: "Re: [PATCH v3 2/3] Documentation: security-bugs: explain what is and is not a security bug"
Next in thread: Willy Tarreau: "Re: [PATCH v3 2/3] Documentation: security-bugs: explain what is and is not a security bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Corbet

Date: Wed May 13 2026 - 17:08:39 EST

Willy Tarreau <w@xxxxxx> writes:

> On Wed, May 13, 2026 at 06:52:00AM -0600, Jonathan Corbet wrote:

>> I definitely wouldn't argue for making it longer, and enumerating all of
>> the make-me-root capabilities would be silly. I would consider just
>> replacing CAP_SYS_ADMIN with "elevated capabilities" or some such. That
>> might rule out legitimate reports where some capability provides an
>> access it shouldn't, but I suspect you could live with that :)
>
> I think it could indeed work like this, without denaturating the rest
> of the paragraph and having broader coverage. Do you think you could
> amend/update it ? I'm not trying to add you any burden, it's just that
> it will take me more time before I provide an update :-/

How's the following?

(While I was there, I noticed that threat-model.rst has no SPDX line;
what's your preference there?)

Thanks,

jon