From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Linus Torvalds <torvalds@linux-foundation.org>, Greg KH <greg@kroah.com>
Cc: mchehab+samsung@kernel.org,
ksummit <ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues
Date: Sun, 09 Sep 2018 07:38:50 -0700 [thread overview]
Message-ID: <1536503930.3192.2.camel@HansenPartnership.com> (raw)
In-Reply-To: <CA+55aFwHH7cN0GXcV7trRs1zgdak+_e8-TyXEsXu62G5V_248A@mail.gmail.com>
On Sun, 2018-09-09 at 07:20 -0700, Linus Torvalds wrote:
> On Sun, Sep 9, 2018 at 5:51 AM Greg KH <greg@kroah.com> wrote:
> >
> > But remember, this is only needed for the "crazy" issues, like
> > Meltdown. What we put together add-hoc for L1TF worked well, and
> > what we do every week in handling security issues sent to
> > security@k.org works very well also. So well that no one really
> > realizes what we do there :)
>
> Note that at some point, we should just say "f*ck it".
>
> For hardware bugs, we should remember that *we* aren't the ones that
> are in trouble. If a hardware company makes it too hard for us to
> work with them, we should literally say "go the f*ck away" and stop
> talking to them.
>
> It's *their* problem, not ours. If they only work with vendors
> unable to talk to core maintainers, I guarantee that it will *remain*
> their problem. I will happily tell the world that the hardware
> company screwed up and didn't even help us try to fix things right.
>
> Their lawyers and PR people can go screw themselves.
>
> Seriously. People need to be aware that it's not us that should be
> bending over backwards over hardware issues. If some hardware company
> wants an NDA from me for their own screw-ups, I'll laugh in their
> face, and then I'll tell journalists about how they actively made it
> harder to fix their mess.
So it seems we have the two choices:
1. Conform to industry norms for disclosures and find a way of bringing
an NDA framework to Linux Security fix handling
2. Force industry to adopt new norms that actually work well with open
source.
I think I already hear a majority for number 2.
However, to make 2 work we need to use every tool at our disposal to
push for change, including our PR relationships and, to be true to
that, we really should publish a critique of what went wrong with
spectre/meltdown and how it should have gone better. That way we have
something to point to when someone asks what to do about the next
hardware side channel problem. I'm sure lwn.net would be up for doing
something to help with this provided we give them access to the raw
material and maintainer interviews so they can present a coherent story
rather than a gripe fest (which is what we've mostly got in this
thread).
James
next prev parent reply other threads:[~2018-09-09 14:38 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-06 19:18 [Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues Jiri Kosina
2018-09-06 20:56 ` Linus Torvalds
2018-09-06 21:14 ` Jiri Kosina
2018-09-06 22:51 ` Eduardo Valentin
2018-09-07 9:17 ` Jani Nikula
2018-09-07 14:43 ` David Woodhouse
2018-09-06 22:55 ` Eduardo Valentin
2018-09-07 8:21 ` Geert Uytterhoeven
2018-09-10 23:26 ` Eduardo Valentin
2018-09-11 8:45 ` Greg KH
2018-09-11 17:10 ` Dave Hansen
2018-09-11 18:28 ` Greg KH
2018-09-11 18:44 ` Thomas Gleixner
2018-09-07 13:30 ` Jiri Kosina
2018-09-09 12:55 ` Greg KH
2018-09-09 19:48 ` Jiri Kosina
2018-09-10 4:04 ` Eduardo Valentin
2018-09-12 7:03 ` Greg KH
2018-09-10 4:12 ` Eduardo Valentin
2018-09-10 11:10 ` Mark Brown
2018-09-12 4:22 ` Balbir Singh
2018-09-08 4:21 ` Andy Lutomirski
2018-09-08 8:56 ` Thomas Gleixner
2018-09-08 11:21 ` Mauro Carvalho Chehab
2018-09-08 11:34 ` Greg KH
2018-09-08 14:20 ` Andy Lutomirski
2018-09-08 15:29 ` Greg KH
2018-09-08 15:00 ` James Bottomley
2018-09-08 15:32 ` Greg KH
2018-09-08 15:54 ` James Bottomley
2018-09-08 19:49 ` Linus Torvalds
2018-09-08 21:24 ` James Bottomley
2018-09-08 22:33 ` Andy Lutomirski
2018-09-09 12:18 ` Mauro Carvalho Chehab
2018-09-10 22:59 ` Dave Hansen
2018-09-11 8:48 ` Greg KH
2018-09-09 12:51 ` Greg KH
2018-09-09 14:20 ` Linus Torvalds
2018-09-09 14:38 ` James Bottomley [this message]
2018-09-09 14:51 ` Andy Lutomirski
2018-09-09 17:20 ` Theodore Y. Ts'o
2018-09-09 17:48 ` David Woodhouse
2018-09-09 18:17 ` Andy Lutomirski
2018-09-09 18:56 ` Theodore Y. Ts'o
2018-09-09 19:19 ` Andy Lutomirski
2018-09-09 20:20 ` Jiri Kosina
2018-09-09 21:36 ` James Bottomley
2018-09-10 9:25 ` Thomas Gleixner
2018-09-10 14:40 ` James Bottomley
2018-09-11 8:20 ` Jiri Kosina
2018-09-11 9:03 ` Thomas Gleixner
2018-09-09 19:41 ` Jiri Kosina
2018-09-08 19:26 ` Jiri Kosina
2018-09-08 19:47 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1536503930.3192.2.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=greg@kroah.com \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=mchehab+samsung@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.