Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

From: Sasha Levin
Date: Thu Jul 18 2019 - 20:39:23 EST

Next message: Dmitry Osipenko: "Re: [PATCH v4 18/24] PM / devfreq: tegra30: Optimize CPUFreq notifier"
Previous message: Bjorn Andersson: "Re: [PATCH] aio: Support read/write with non-iter file-ops"
In reply to: Kees Cook: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Next in thread: Kees Cook: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:

On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:

Provide more information about how to interact with the linux-distros
mailing list for disclosing security bugs.

Reference the linux-distros list policy and clarify that the reporter
must read and understand those policies as they differ from
security@xxxxxxxxxx's policy.

Suggested-by: Solar Designer <solar@xxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

Sorry, but NACK, see below...

---

Changes in v2:
- Focus more on pointing to the linux-distros wiki and policies.

I think this is already happening in the text. What specifically do you
want described differently?

The main issue was that there isn't anything pointing to the
linux-distros policies. The current text outlines a few of them ("add
[vs]", and "there should be an embargo period"), but it effectively just
gives out the linux-distros mailing address and tells the reporter to
contact it.

- Remove explicit linux-distros email.

I don't like this because we had past trouble with notifications going
to the distros@ list and leaking Linux-only flaws to the BSDs. As there
isn't a separate linux-distros wiki, the clarification of WHICH list is
needed.

Why would removing the explicit linux-distros email encourage people to
send reports to it?

I also don't understand what you mean by "there isn't a separate
linux-distros wiki"? There is one, and I want to point the reporter
there.

- Remove various explanations of linux-distros policies.

I don't think there's value in removing the Tue-Thu comment, nor
providing context for why distros need time. This has been a regular
thing we've had to explain to researchers that aren't familiar with
update procedures and publication timing.

To be fair, the Tue-Thu comment is listed in the section describing how
to do coordination with linux-distros, and linux-distros don't have a
Tue-Thu policy. If it's a security@xxxxxxxxxx policy then let's list it
elsewhere.

If you feel that there is a consensus around Tue-Thu let's just add it
to the linux-distros policy wiki, there's no point in listing random
policies from that wiki.

--
Thanks,
Sasha

Next message: Dmitry Osipenko: "Re: [PATCH v4 18/24] PM / devfreq: tegra30: Optimize CPUFreq notifier"
Previous message: Bjorn Andersson: "Re: [PATCH] aio: Support read/write with non-iter file-ops"
In reply to: Kees Cook: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Next in thread: Kees Cook: "Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]