Message ID | 20230305220010.20895-1-vegard.nossum@oracle.com |
---|---|
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1548122wrd; Sun, 5 Mar 2023 14:03:00 -0800 (PST) X-Google-Smtp-Source: AK7set+njIDAkK9Ul1G8hWvJLx6dSeFnZ0IQHCajNFOFA8vaT7YAWwJXNxrYGUzMePxG4uZV2WML X-Received: by 2002:a05:6a20:7d9e:b0:cd:8ed8:8e1d with SMTP id v30-20020a056a207d9e00b000cd8ed88e1dmr9417035pzj.12.1678053780667; Sun, 05 Mar 2023 14:03:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678053780; cv=none; d=google.com; s=arc-20160816; b=t2zVZSVIh/MzWEX39t1Cq67iLbPPD1TH5ehxmX7MUpdK08Z4MgPV9NyAFEM4cifhd5 AVa1pVe01kp5ke67V6eDMCdIoKT2zZnx/9dYafa4PsWMmcLNxEKLofaV/ApmXH7wABgS VO3CnXL29Cl0nVsh5Jszvs72AaCXsR+vGZOhwchV60EwI/ZlbEU3HSo1fK28u0JGSZ4A ohubBr8BkQl7HhN0+vacz+Ojf79+Q8sZperNTyy+2bJ8GihjES1Oa7u3JzFDuyW1uTFN wQYsowQI/sWaPQrELzmr+dhBOFHrIg4eIcUJA7xSqUBZpkVjkTUjIlXtfLicerk8wEba QjJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=jOu+ATFD6epKfa/dIl5O1pLo9na6LoDoSY0228fDne4=; b=ilWKEn2xJqSVae2Lgjyopg48d+m5UGxkW14KRzJCCGsH8NmeFjEaT6dDcUi3Ris2kq HfCpRBPSAcQTGNtS7m0tT89qEgQdoqz5SQCopwTtuEohet8Q+ryp8WtFJjK6MiGKi8Vs qnt/6yNlmUmXCpBHX8zRVjfBS1iZ5erqKFKOHs9IYvRcdbuZZGyKxfREnC2Y8Uv5xoU3 kUL6R0Wu9K4XYViF2qdk27RektcQC8W0Ia/CLgbm3Hr38jnftwZkbVUNaxDbAhp9zxj3 uLoR92r9Q8qlMGTwpMpTxlhbFmzNM26cc//IxI9DXzZjvG8ECC/r8RyULONfpStKg/OS xZhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=P9La3Bol; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d13-20020a634f0d000000b004fb8509d653si7805736pgb.151.2023.03.05.14.02.43; Sun, 05 Mar 2023 14:03:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=P9La3Bol; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229494AbjCEWBq (ORCPT <rfc822;carlos.wei.hk@gmail.com> + 99 others); Sun, 5 Mar 2023 17:01:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57958 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229542AbjCEWBm (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sun, 5 Mar 2023 17:01:42 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF998CDCD; Sun, 5 Mar 2023 14:01:40 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 325LVveD008457; Sun, 5 Mar 2023 22:00:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=corp-2022-7-12; bh=jOu+ATFD6epKfa/dIl5O1pLo9na6LoDoSY0228fDne4=; b=P9La3Bol9p62H2LUjQOZtpy9A9oY6uKxGPUWC2+BnhlvqtzcycYVA+JypkaQncNg7JZM 4R5qKWzAAWF/dIIl5R1Xj5JOHo3JtjDn/VPubv1GEGKp5llF8SGgg9CDNof4G8Iktal9 7PmLNYTyteU+Jatk9LTzRUJ96bwzUCp6Ft35rIKCDMuZId0uUApKipN3DRC0sZdwQjLH fhyXuMEU2dbVM1lF3H7m5zpxQBriv/Ap5VTTVgv3Q+/IiigvTcDiuKOJ18SAYywAQszx NOYmV01TXrk8v7+ytoh4pDn7BxBA3a5wL2jcuTaB+w4VPmHDjZmCVKhGSuvfij1In/9l pA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3p416whrqq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 05 Mar 2023 22:00:25 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 325HLY92023407; Sun, 5 Mar 2023 22:00:24 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3p4u040m1m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 05 Mar 2023 22:00:24 +0000 Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 325M0Nqx013622; Sun, 5 Mar 2023 22:00:23 GMT Received: from t460.home (dhcp-10-175-35-7.vpn.oracle.com [10.175.35.7]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3p4u040ktj-1; Sun, 05 Mar 2023 22:00:23 +0000 From: Vegard Nossum <vegard.nossum@oracle.com> To: Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>, Solar Designer <solar@openwall.com>, Will Deacon <will@kernel.org>, Willy Tarreau <w@1wt.eu> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, linux-kernel@vger.kernel.org, Amit Shah <aams@amazon.com>, Dave Hansen <dave.hansen@linux.intel.com>, David Woodhouse <dwmw@amazon.co.uk>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, Kees Cook <keescook@chromium.org>, Laura Abbott <labbott@kernel.org>, Linus Torvalds <torvalds@linux-foundation.org>, Mauro Carvalho Chehab <mchehab@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>, Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Thorsten Leemhuis <linux@leemhuis.info>, Tyler Hicks <tyhicks@linux.microsoft.com>, Vegard Nossum <vegard.nossum@oracle.com> Subject: [PATCH v3 0/7] Documentation/security-bugs: overhaul Date: Sun, 5 Mar 2023 23:00:03 +0100 Message-Id: <20230305220010.20895-1-vegard.nossum@oracle.com> X-Mailer: git-send-email 2.23.0.718.g5ad94255a8 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-05_12,2023-03-03_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxlogscore=726 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2303050192 X-Proofpoint-GUID: iCJ2Jt-gZINbQ01lc772bGp0xW_IGBA2 X-Proofpoint-ORIG-GUID: iCJ2Jt-gZINbQ01lc772bGp0xW_IGBA2 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759540446020497610?= X-GMAIL-MSGID: =?utf-8?q?1759566921240912235?= |
Series |
Documentation/security-bugs: overhaul
|
|
Message
Vegard Nossum
March 5, 2023, 10 p.m. UTC
Hi, This is v3 of clarifying our documentation for reporting security issues. The current document is not clear enough, in particular the process of disclosure and requesting CVEs, and what the roles of the different lists are and how exactly to report to each of them. Lots of people have been confused about the 7/14 days of the kernel list vs. the 7/14 days of the distros list, the fact that these are two separate lists, etc. Many reporters contact distros first, or submit their report to both lists at the same time (which has the unfortunate effect of starting off the disclosure countdown for the distros list before s@k.o has had a chance to look at the report). I've shared the v2 document with a couple of people who submitted reports and they said they found it a lot clearer. Probably the easiest way to see the end result of this series is to view the rendered HTML which I've put here: https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html oss-security discussion prompting the change: https://www.openwall.com/lists/oss-security/2022/05/15/1 v1 submission: https://lore.kernel.org/all/20220531230309.9290-1-vegard.nossum@oracle.com/ v2 submission: https://lore.kernel.org/all/20220606194850.26122-1-vegard.nossum@oracle.com/ Changes: v2: address feedback from Willy Tarreau and Jonathan Corbet v3: move from admin-guide/ to process/; address feedback from Will Deacon (including reverting back to some of the original phrasing); split into multiple patches Vegard Vegard Nossum (7): Documentation/security-bugs: move from admin-guide/ to process/ Documentation/security-bugs: misc. improvements Documentation/security-bugs: improve security list section Documentation/security-bugs: add linux-distros and oss-security sections Documentation/security-bugs: add table of lists Documentation/security-bugs: clarify hardware vs. software vulnerabilities Documentation/security-bugs: document document design Documentation/admin-guide/index.rst | 1 - .../admin-guide/reporting-issues.rst | 4 +- Documentation/admin-guide/security-bugs.rst | 96 ---------- Documentation/process/howto.rst | 2 +- Documentation/process/index.rst | 9 +- .../process/researcher-guidelines.rst | 2 +- Documentation/process/security-bugs.rst | 181 ++++++++++++++++++ Documentation/process/stable-kernel-rules.rst | 2 +- Documentation/process/submitting-patches.rst | 2 +- .../it_IT/admin-guide/security-bugs.rst | 2 +- .../it_IT/process/submitting-patches.rst | 2 +- Documentation/translations/ja_JP/howto.rst | 2 +- Documentation/translations/ko_KR/howto.rst | 2 +- Documentation/translations/sp_SP/howto.rst | 2 +- .../sp_SP/process/submitting-patches.rst | 2 +- .../zh_CN/admin-guide/security-bugs.rst | 2 +- .../translations/zh_CN/process/howto.rst | 2 +- .../zh_TW/admin-guide/security-bugs.rst | 2 +- .../translations/zh_TW/process/howto.rst | 2 +- MAINTAINERS | 4 +- 20 files changed, 207 insertions(+), 116 deletions(-) delete mode 100644 Documentation/admin-guide/security-bugs.rst create mode 100644 Documentation/process/security-bugs.rst
Comments
On Sun, Mar 05, 2023 at 11:00:03PM +0100, Vegard Nossum wrote: > Hi, > > This is v3 of clarifying our documentation for reporting security > issues. > > The current document is not clear enough, in particular the process of > disclosure and requesting CVEs, and what the roles of the different > lists are and how exactly to report to each of them. > > Lots of people have been confused about the 7/14 days of the kernel list > vs. the 7/14 days of the distros list, the fact that these are two > separate lists, etc. Many reporters contact distros first, or submit > their report to both lists at the same time (which has the unfortunate > effect of starting off the disclosure countdown for the distros list > before s@k.o has had a chance to look at the report). I've shared the v2 > document with a couple of people who submitted reports and they said > they found it a lot clearer. > > Probably the easiest way to see the end result of this series is to view the > rendered HTML which I've put here: > https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html Thanks for doing this, it looks much better, but I do have some objections with it. First off, you didn't cc: the security@k.o group to see if they agree with this, any specific reason why? :) Secondly, and the bigger one, I think we should just drop all of the references to linux-distros and oss-security entirely, as those are groups that are outside of our control and interaction and have different rules that we might not agree with. They also just a tiny subset of Linux users and companies and as such do not really reflect the majority of where Linux is used anymore. But overall I like the slimmer size, so perhaps the end result just being the first two major sections would be best. Let me take those changes first and we can see how the result looks for now to see if that will resolve some of the major issues the security@k.o group have right now with reports (i.e. CVE requests, other group's disclosure rules and dates). thanks, greg k-h
On Mon, Mar 06, 2023 at 07:02:14AM +0100, Greg Kroah-Hartman wrote: > Secondly, and the bigger one, I think we should just drop all of the > references to linux-distros and oss-security entirely, as those are > groups that are outside of our control and interaction and have > different rules that we might not agree with. They also just a tiny > subset of Linux users and companies and as such do not really reflect > the majority of where Linux is used anymore. I'm wondering if instead they shouldn't just be mentioned as a warning about the risk of leak or forced disclosure. We know that reporters may find the address from various places, including various sites that may enumerate the long list of potential contacts, and not just this doc. It can be useful to have just a paragraph warning about the fact that oss-sec is public and that linux-distros has this strict disclosure policy without consideration for the availability of a fix, in order to warn them to only contact such lists once the fix is available and tested if they want to, but never before. Anything we can do to help serious reporters (i.e. those who are really embarrassed with a bug, not those who seek a Curiculum Vitae Enhancer) should be done. It's always a stressful moment to report a security issue on a project, you always fear that you might be doing an irreversible mistake, so whatever info we can pass about the risks (or lack of) should be welcome I guess. Willy
On Mon, Mar 06, 2023 at 07:35:34AM +0100, Willy Tarreau wrote: > On Mon, Mar 06, 2023 at 07:02:14AM +0100, Greg Kroah-Hartman wrote: > > Secondly, and the bigger one, I think we should just drop all of the > > references to linux-distros and oss-security entirely, as those are > > groups that are outside of our control and interaction and have > > different rules that we might not agree with. They also just a tiny > > subset of Linux users and companies and as such do not really reflect > > the majority of where Linux is used anymore. > > I'm wondering if instead they shouldn't just be mentioned as a warning > about the risk of leak or forced disclosure. We know that reporters may > find the address from various places, including various sites that may > enumerate the long list of potential contacts, and not just this doc. > It can be useful to have just a paragraph warning about the fact that > oss-sec is public and that linux-distros has this strict disclosure > policy without consideration for the availability of a fix, in order > to warn them to only contact such lists once the fix is available and > tested if they want to, but never before. Anything we can do to help > serious reporters (i.e. those who are really embarrassed with a bug, > not those who seek a Curiculum Vitae Enhancer) should be done. It's > always a stressful moment to report a security issue on a project, > you always fear that you might be doing an irreversible mistake, so > whatever info we can pass about the risks (or lack of) should be > welcome I guess. That's a good idea, if it can be worded in a way that reflects that is is not any sort of requirement or that it is normal part of our development process. thanks, greg k-h
Hi Vegard, first, thanks for doing this work. On Sun, Mar 05, 2023 at 11:00:03PM +0100, Vegard Nossum wrote: > Probably the easiest way to see the end result of this series is to view the > rendered HTML which I've put here: > https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html I'm seeing a few points that could be improved but I don't have much to propose right now, I'll just enumerate issues we've faced in the past or that continue to pop up from time to time and that require extra effort from the team: - I'm not seeing anywhere that the security list is *exclusively* for kernel issues. That might explain why about once a week or so we receive messages like "there's a bug in that userland tool" or "we've found an XSS issue on your website". It's written that kernel bugs should be reported to the security list but I think we should strengthen that by adding "This list is exclusively used for Linux kernel security reports, please do not report issues affecting any other component there". - we always need to be able to describe the nature of a bug in the commit message so that if the patch is found to cause a regression, its purpose can at least be understood and argumented. It happened at least once that we were requested not to explain the details because a paper was about to be issued, and that's not acceptable at all because it means that it becomes very complicated to have public discussions about possible forthcoming issues. I think that after the paragraph suggesting that the details of an issue or its exploit code might not always be published, it could be useful to mention something along the fact that the reporter shall not request the security team to withhold technical details about the issue as long as it doesn't represent an imminent danger. - it's quite frequent that reporters post from dummy addresses, looking like randomly generated ones (we even had one looking like a smiley). It doesn't help to communicate with them at all. I can understand how some working as consultants for a customer would want to avoid disclosing a particular relation between their finding and their customer, but at least they should indicate how they should be called. I.e. "call me Margarett" is not difficult and simplifies exchanges when the address is "69236836@example.com". And often we see at the end that they're willing to provide a real name to be credited for the finding, so most likely starting with this real name could be easier. - it's more a discussion for the list itself, but the wording continues to make one think that the reporter should expect the list members to develop a patch, while in practise the first thing that's asked is "since you've studied the problem well, do you happen to have a patch?". And it happened a few times that in response we got "oops sorry, I analysed it wrong, there's no issue there". I think the text should emphasize more on encouraging submitters to complete their work with a patch proposal (that's also helpful to confirm an analysis). And conversely I think that reports for non-immediately exploitable issues that are found by code analyzers (and almost always come without a patch) should not be sent to this list and should be discussed and addressed publicly instead. It's more efficient and allows more knowledgeable participants to have their say on the root cause of the problem and its possible solutions. That's of course not always the case, but common sense should prevail here. Thanks, Willy
On Mon, Mar 06, 2023 at 08:11:38AM +0100, Willy Tarreau wrote: > - I'm not seeing anywhere that the security list is *exclusively* > for kernel issues. That might explain why about once a week or so > we receive messages like "there's a bug in that userland tool" or > "we've found an XSS issue on your website". It's written that kernel > bugs should be reported to the security list but I think we should > strengthen that by adding "This list is exclusively used for Linux > kernel security reports, please do not report issues affecting any > other component there". I think the wording would be "Please report security bugs against Linux kernel to security@kernel.org list. Security bugs against userspace applications should be reported to appropriate channels for affected applications instead." > - it's quite frequent that reporters post from dummy addresses, > looking like randomly generated ones (we even had one looking > like a smiley). It doesn't help to communicate with them at all. > I can understand how some working as consultants for a customer > would want to avoid disclosing a particular relation between their > finding and their customer, but at least they should indicate how > they should be called. I.e. "call me Margarett" is not difficult > and simplifies exchanges when the address is "69236836@example.com". > And often we see at the end that they're willing to provide a real > name to be credited for the finding, so most likely starting with > this real name could be easier. > Something like temporary addresses (à la maildrop or mail.gw)? > - it's more a discussion for the list itself, but the wording continues > to make one think that the reporter should expect the list members to > develop a patch, while in practise the first thing that's asked is > "since you've studied the problem well, do you happen to have a patch?". > And it happened a few times that in response we got "oops sorry, I > analysed it wrong, there's no issue there". I think the text should > emphasize more on encouraging submitters to complete their work with > a patch proposal (that's also helpful to confirm an analysis). And > conversely I think that reports for non-immediately exploitable issues > that are found by code analyzers (and almost always come without a > patch) should not be sent to this list and should be discussed and > addressed publicly instead. It's more efficient and allows more > knowledgeable participants to have their say on the root cause of > the problem and its possible solutions. That's of course not always > the case, but common sense should prevail here. I think the wording would be "It is preferrable to have a proposed patch for the bug you report. See Documentation/process/submitting-patches.rst for details on how to submit patches." Thanks.
On Sun, Mar 05, 2023 at 11:00:03PM +0100, Vegard Nossum wrote: > Hi, > > This is v3 of clarifying our documentation for reporting security > issues. > > The current document is not clear enough, in particular the process of > disclosure and requesting CVEs, and what the roles of the different > lists are and how exactly to report to each of them. > > Lots of people have been confused about the 7/14 days of the kernel list > vs. the 7/14 days of the distros list, the fact that these are two > separate lists, etc. Many reporters contact distros first, or submit > their report to both lists at the same time (which has the unfortunate > effect of starting off the disclosure countdown for the distros list > before s@k.o has had a chance to look at the report). I've shared the v2 > document with a couple of people who submitted reports and they said > they found it a lot clearer. > The docs LGTM, thanks! Reviewed-by: Bagas Sanjaya <bagasdotme@gmail.com>
On 3/6/23 07:02, Greg Kroah-Hartman wrote: > On Sun, Mar 05, 2023 at 11:00:03PM +0100, Vegard Nossum wrote: >> Lots of people have been confused about the 7/14 days of the kernel list >> vs. the 7/14 days of the distros list, the fact that these are two >> separate lists, etc. Many reporters contact distros first, or submit >> their report to both lists at the same time (which has the unfortunate >> effect of starting off the disclosure countdown for the distros list >> before s@k.o has had a chance to look at the report). I've shared the v2 >> document with a couple of people who submitted reports and they said >> they found it a lot clearer. >> >> Probably the easiest way to see the end result of this series is to view the >> rendered HTML which I've put here: >> https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html > > Thanks for doing this, it looks much better, but I do have some > objections with it. > > First off, you didn't cc: the security@k.o group to see if they agree > with this, any specific reason why? :) I did consider it, but thought it was better not to since this is not a security issue -- but I see it's actually listed in MAINTAINERS (in an entry I'm changing, no less... *facepalm*) Added to Cc, beginning of the thread is here: https://lore.kernel.org/all/20230305220010.20895-1-vegard.nossum@oracle.com/ > Secondly, and the bigger one, I think we should just drop all of the > references to linux-distros and oss-security entirely, as those are > groups that are outside of our control and interaction and have > different rules that we might not agree with. I find this a strange sentiment. All the major Linux distros have a presence on the distros list and it remains a valuable resource for coordination. I think most of the friction of the past should have been resolved by the distros list actually updating its rules last year (if not 100% according to your wishes, at least a good step in that direction), any remaining problems should hopefully be resolved by improving the documentation so that issues are not sent to the distros list prematurely. > They also just a tiny subset of Linux users and companies and as such > do not really reflect the majority of where Linux is used anymore. Is the elephant in the room that Android vendors are not rolling out kernel updates in the 7-14 days given by distros to publicly disclose the reported issues? If so, then I think this is the real issue here, and it should be stated outright. > But overall I like the slimmer size, so perhaps the end result just > being the first two major sections would be best. Let me take those > changes first and we can see how the result looks for now to see if that > will resolve some of the major issues the security@k.o group have right > now with reports (i.e. CVE requests, other group's disclosure rules and > dates). I personally think it would be a mistake not to include the info about the other lists, both because I think they have real value (and I do think they represent Linux kernel users, if not kernel developers) but also because, as Willy said, people will find the wrong information elsewhere and submit issues anyway, people are still going to want to request CVEs (regardless of what you or I think about them), etc. Anyway, I don't represent s@k.o so I don't decide, I really just want security for end users and as responsible disclosure as we can hope for. The patches are out there so feel free to use whatever you want from them. Thanks for looking it over. Vegard