[1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group

Message ID 2023063020-throat-pantyhose-f110@gregkh
State New
Headers
Series [1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group |

Commit Message

Greg KH June 30, 2023, 7:14 a.m. UTC
  Because the linux-distros group forces reporters to release information
about reported bugs, and they impose arbitrary deadlines in having those
bugs fixed despite not actually being kernel developers, the kernel
security team recommends not interacting with them at all as this just
causes confusion and the early-release of reported security problems.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/process/security-bugs.rst | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)
  

Comments

Kees Cook June 30, 2023, 6:14 p.m. UTC | #1
On Fri, Jun 30, 2023 at 09:14:20AM +0200, Greg Kroah-Hartman wrote:
> Because the linux-distros group forces reporters to release information
> about reported bugs, and they impose arbitrary deadlines in having those
> bugs fixed despite not actually being kernel developers, the kernel
> security team recommends not interacting with them at all as this just
> causes confusion and the early-release of reported security problems.
> 
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Yeah, this is good. It might make sense to explicitly detail the
rationale in security-bugs.rst (as you have in the commit log), but
perhaps that's too much detail.

Reviewed-by: Kees Cook <keescook@chromium.org>
  
Greg KH July 3, 2023, 3 p.m. UTC | #2
On Fri, Jun 30, 2023 at 11:14:05AM -0700, Kees Cook wrote:
> On Fri, Jun 30, 2023 at 09:14:20AM +0200, Greg Kroah-Hartman wrote:
> > Because the linux-distros group forces reporters to release information
> > about reported bugs, and they impose arbitrary deadlines in having those
> > bugs fixed despite not actually being kernel developers, the kernel
> > security team recommends not interacting with them at all as this just
> > causes confusion and the early-release of reported security problems.
> > 
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> Yeah, this is good. It might make sense to explicitly detail the
> rationale in security-bugs.rst (as you have in the commit log), but
> perhaps that's too much detail.
> 
> Reviewed-by: Kees Cook <keescook@chromium.org>

Thanks for the review.  I'll keep this as-is as it's the content of the
file that matters in the end.

thanks,

greg k-h
  
Greg KH July 3, 2023, 3:01 p.m. UTC | #3
On Mon, Jul 03, 2023 at 05:00:51PM +0200, Greg Kroah-Hartman wrote:
> On Fri, Jun 30, 2023 at 11:14:05AM -0700, Kees Cook wrote:
> > On Fri, Jun 30, 2023 at 09:14:20AM +0200, Greg Kroah-Hartman wrote:
> > > Because the linux-distros group forces reporters to release information
> > > about reported bugs, and they impose arbitrary deadlines in having those
> > > bugs fixed despite not actually being kernel developers, the kernel
> > > security team recommends not interacting with them at all as this just
> > > causes confusion and the early-release of reported security problems.
> > > 
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > Yeah, this is good. It might make sense to explicitly detail the
> > rationale in security-bugs.rst (as you have in the commit log), but
> > perhaps that's too much detail.
> > 
> > Reviewed-by: Kees Cook <keescook@chromium.org>
> 
> Thanks for the review.  I'll keep this as-is as it's the content of the
> file that matters in the end.

Ok, that didn't come out well, let me try again.  Let's leave the text
as-is for now, thanks.

greg k-h
  

Patch

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 82e29837d589..f12ac2316ce7 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -63,20 +63,18 @@  information submitted to the security list and any followup discussions
 of the report are treated confidentially even after the embargo has been
 lifted, in perpetuity.
 
-Coordination
-------------
+Coordination with other groups
+------------------------------
 
-Fixes for sensitive bugs, such as those that might lead to privilege
-escalations, may need to be coordinated with the private
-<linux-distros@vs.openwall.org> mailing list so that distribution vendors
-are well prepared to issue a fixed kernel upon public disclosure of the
-upstream fix. Distros will need some time to test the proposed patch and
-will generally request at least a few days of embargo, and vendor update
-publication prefers to happen Tuesday through Thursday. When appropriate,
-the security team can assist with this coordination, or the reporter can
-include linux-distros from the start. In this case, remember to prefix
-the email Subject line with "[vs]" as described in the linux-distros wiki:
-<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
+The kernel security team strongly recommends that reporters of potential
+security issues NEVER contact the "linux-distros" mailing list until
+AFTER discussing it with the kernel security team.  Do not Cc: both
+lists at once.  You may contact the linux-distros mailing list after a
+fix has been agreed on and you fully understand the requirements that
+doing so will impose on you and the kernel community.
+
+The different lists have different goals and the linux-distros rules do
+not contribute to actually fixing any potential security problems.
 
 CVE assignment
 --------------