[PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Sasha Levin]

Provide more information about how to interact with the linux-distros
mailing list for disclosing security bugs.

Reference the linux-distros list policy and clarify that the reporter
must read and understand those policies as they differ from
security@kernel.org's policy.

Suggested-by: Solar Designer <solar@openwall.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

Changes in v2:
 - Focus more on pointing to the linux-distros wiki and policies.
 - Remove explicit linux-distros email.
 - Remove various explanations of linux-distros policies.

 Documentation/admin-guide/security-bugs.rst | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
index dcd6c93c7aac..380d44fd618d 100644
--- a/Documentation/admin-guide/security-bugs.rst
+++ b/Documentation/admin-guide/security-bugs.rst
@@ -60,16 +60,15 @@ Coordination
 ------------
 
 Fixes for sensitive bugs, such as those that might lead to privilege
-escalations, may need to be coordinated with the private
-<linux-distros@vs.openwall.org> mailing list so that distribution vendors
-are well prepared to issue a fixed kernel upon public disclosure of the
-upstream fix. Distros will need some time to test the proposed patch and
-will generally request at least a few days of embargo, and vendor update
-publication prefers to happen Tuesday through Thursday. When appropriate,
-the security team can assist with this coordination, or the reporter can
-include linux-distros from the start. In this case, remember to prefix
-the email Subject line with "[vs]" as described in the linux-distros wiki:
-<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
+escalations, may need to be coordinated with the private linux-distros mailing
+list so that distribution vendors are well prepared to issue a fixed kernel
+upon public disclosure of the upstream fix. Please read and follow the policies
+of linux-distros as specified in the linux-distros wiki page before reporting:
+<https://oss-security.openwall.org/wiki/mailing-lists/distros>. When
+appropriate, the security team can assist with this coordination, or the
+reporter can include linux-distros from the start. In this case, remember to
+prefix the email Subject line with "[vs]" as described in the linux-distros
+wiki.
 
 CVE assignment
 --------------
-- 
2.20.1

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Will Deacon]

On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> Provide more information about how to interact with the linux-distros
> mailing list for disclosing security bugs.
> 
> Reference the linux-distros list policy and clarify that the reporter
> must read and understand those policies as they differ from
> security@kernel.org's policy.
> 
> Suggested-by: Solar Designer <solar@openwall.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> 
> Changes in v2:
>  - Focus more on pointing to the linux-distros wiki and policies.
>  - Remove explicit linux-distros email.
>  - Remove various explanations of linux-distros policies.
> 
>  Documentation/admin-guide/security-bugs.rst | 19 +++++++++----------
>  1 file changed, 9 insertions(+), 10 deletions(-)
> 
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index dcd6c93c7aac..380d44fd618d 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -60,16 +60,15 @@ Coordination
>  ------------
>  
>  Fixes for sensitive bugs, such as those that might lead to privilege
> -escalations, may need to be coordinated with the private
> -<linux-distros@vs.openwall.org> mailing list so that distribution vendors
> -are well prepared to issue a fixed kernel upon public disclosure of the
> -upstream fix. Distros will need some time to test the proposed patch and
> -will generally request at least a few days of embargo, and vendor update
> -publication prefers to happen Tuesday through Thursday. When appropriate,
> -the security team can assist with this coordination, or the reporter can
> -include linux-distros from the start. In this case, remember to prefix
> -the email Subject line with "[vs]" as described in the linux-distros wiki:
> -<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
> +escalations, may need to be coordinated with the private linux-distros mailing
> +list so that distribution vendors are well prepared to issue a fixed kernel
> +upon public disclosure of the upstream fix. Please read and follow the policies
> +of linux-distros as specified in the linux-distros wiki page before reporting:

can we add a "there" at the end of this sentence, so it can't be misread as
implying that you must follow the linux-distros policies before reporting to
security@kernel.org ?

Will

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Solar Designer]

On Thu, Jul 18, 2019 at 10:40:58AM +0100, Will Deacon wrote:
> On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > Provide more information about how to interact with the linux-distros
> > mailing list for disclosing security bugs.
> > 
> > Reference the linux-distros list policy and clarify that the reporter
> > must read and understand those policies as they differ from
> > security@kernel.org's policy.
> > 
> > Suggested-by: Solar Designer <solar@openwall.com>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> > 
> > Changes in v2:
> >  - Focus more on pointing to the linux-distros wiki and policies.
> >  - Remove explicit linux-distros email.
> >  - Remove various explanations of linux-distros policies.
> > 
> >  Documentation/admin-guide/security-bugs.rst | 19 +++++++++----------
> >  1 file changed, 9 insertions(+), 10 deletions(-)
> > 
> > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> > index dcd6c93c7aac..380d44fd618d 100644
> > --- a/Documentation/admin-guide/security-bugs.rst
> > +++ b/Documentation/admin-guide/security-bugs.rst
> > @@ -60,16 +60,15 @@ Coordination
> >  ------------
> >  
> >  Fixes for sensitive bugs, such as those that might lead to privilege
> > -escalations, may need to be coordinated with the private
> > -<linux-distros@vs.openwall.org> mailing list so that distribution vendors
> > -are well prepared to issue a fixed kernel upon public disclosure of the
> > -upstream fix. Distros will need some time to test the proposed patch and
> > -will generally request at least a few days of embargo, and vendor update
> > -publication prefers to happen Tuesday through Thursday. When appropriate,
> > -the security team can assist with this coordination, or the reporter can
> > -include linux-distros from the start. In this case, remember to prefix
> > -the email Subject line with "[vs]" as described in the linux-distros wiki:
> > -<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
> > +escalations, may need to be coordinated with the private linux-distros mailing
> > +list so that distribution vendors are well prepared to issue a fixed kernel
> > +upon public disclosure of the upstream fix. Please read and follow the policies
> > +of linux-distros as specified in the linux-distros wiki page before reporting:
> 
> can we add a "there" at the end of this sentence, so it can't be misread as
> implying that you must follow the linux-distros policies before reporting to
> security@kernel.org ?

Sasha's patch above and the addition suggested by Will look good to me.

Thanks!

Alexander

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Kees Cook]

On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> Provide more information about how to interact with the linux-distros
> mailing list for disclosing security bugs.
> 
> Reference the linux-distros list policy and clarify that the reporter
> must read and understand those policies as they differ from
> security@kernel.org's policy.
> 
> Suggested-by: Solar Designer <solar@openwall.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>

Sorry, but NACK, see below...

> ---
> 
> Changes in v2:
>  - Focus more on pointing to the linux-distros wiki and policies.

I think this is already happening in the text. What specifically do you
want described differently?

>  - Remove explicit linux-distros email.

I don't like this because we had past trouble with notifications going
to the distros@ list and leaking Linux-only flaws to the BSDs. As there
isn't a separate linux-distros wiki, the clarification of WHICH list is
needed.

>  - Remove various explanations of linux-distros policies.

I don't think there's value in removing the Tue-Thu comment, nor
providing context for why distros need time. This has been a regular
thing we've had to explain to researchers that aren't familiar with
update procedures and publication timing.

-Kees

> 
>  Documentation/admin-guide/security-bugs.rst | 19 +++++++++----------
>  1 file changed, 9 insertions(+), 10 deletions(-)
> 
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index dcd6c93c7aac..380d44fd618d 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -60,16 +60,15 @@ Coordination
>  ------------
>  
>  Fixes for sensitive bugs, such as those that might lead to privilege
> -escalations, may need to be coordinated with the private
> -<linux-distros@vs.openwall.org> mailing list so that distribution vendors
> -are well prepared to issue a fixed kernel upon public disclosure of the
> -upstream fix. Distros will need some time to test the proposed patch and
> -will generally request at least a few days of embargo, and vendor update
> -publication prefers to happen Tuesday through Thursday. When appropriate,
> -the security team can assist with this coordination, or the reporter can
> -include linux-distros from the start. In this case, remember to prefix
> -the email Subject line with "[vs]" as described in the linux-distros wiki:
> -<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
> +escalations, may need to be coordinated with the private linux-distros mailing
> +list so that distribution vendors are well prepared to issue a fixed kernel
> +upon public disclosure of the upstream fix. Please read and follow the policies
> +of linux-distros as specified in the linux-distros wiki page before reporting:
> +<https://oss-security.openwall.org/wiki/mailing-lists/distros>. When
> +appropriate, the security team can assist with this coordination, or the
> +reporter can include linux-distros from the start. In this case, remember to
> +prefix the email Subject line with "[vs]" as described in the linux-distros
> +wiki.
>  
>  CVE assignment
>  --------------
> -- 
> 2.20.1
> 

-- 
Kees Cook

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Sasha Levin]

On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
>On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
>> Provide more information about how to interact with the linux-distros
>> mailing list for disclosing security bugs.
>>
>> Reference the linux-distros list policy and clarify that the reporter
>> must read and understand those policies as they differ from
>> security@kernel.org's policy.
>>
>> Suggested-by: Solar Designer <solar@openwall.com>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>
>Sorry, but NACK, see below...
>
>> ---
>>
>> Changes in v2:
>>  - Focus more on pointing to the linux-distros wiki and policies.
>
>I think this is already happening in the text. What specifically do you
>want described differently?

The main issue was that there isn't anything pointing to the
linux-distros policies. The current text outlines a few of them ("add
[vs]", and "there should be an embargo period"), but it effectively just
gives out the linux-distros mailing address and tells the reporter to
contact it.

>>  - Remove explicit linux-distros email.
>
>I don't like this because we had past trouble with notifications going
>to the distros@ list and leaking Linux-only flaws to the BSDs. As there
>isn't a separate linux-distros wiki, the clarification of WHICH list is
>needed.

Why would removing the explicit linux-distros email encourage people to
send reports to it?

I also don't understand what you mean by "there isn't a separate
linux-distros wiki"? There is one, and I want to point the reporter
there.

>>  - Remove various explanations of linux-distros policies.
>
>I don't think there's value in removing the Tue-Thu comment, nor
>providing context for why distros need time. This has been a regular
>thing we've had to explain to researchers that aren't familiar with
>update procedures and publication timing.

To be fair, the Tue-Thu comment is listed in the section describing how
to do coordination with linux-distros, and linux-distros don't have a
Tue-Thu policy. If it's a security@kernel.org policy then let's list it
elsewhere.

If you feel that there is a consensus around Tue-Thu let's just add it
to the linux-distros policy wiki, there's no point in listing random
policies from that wiki.

--
Thanks,
Sasha

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Kees Cook]

On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > Provide more information about how to interact with the linux-distros
> > > mailing list for disclosing security bugs.
> > > 
> > > Reference the linux-distros list policy and clarify that the reporter
> > > must read and understand those policies as they differ from
> > > security@kernel.org's policy.
> > > 
> > > Suggested-by: Solar Designer <solar@openwall.com>
> > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > 
> > Sorry, but NACK, see below...
> > 
> > > ---
> > > 
> > > Changes in v2:
> > >  - Focus more on pointing to the linux-distros wiki and policies.
> > 
> > I think this is already happening in the text. What specifically do you
> > want described differently?
> 
> The main issue was that there isn't anything pointing to the
> linux-distros policies. The current text outlines a few of them ("add
> [vs]", and "there should be an embargo period"), but it effectively just
> gives out the linux-distros mailing address and tells the reporter to
> contact it.

The current text includes the wiki link, but yes, the anchor tag is not
present at the wiki anymore. I would agree that's due for updating.

I think reinforcing information to avoid past mistakes is appropriate
here. Reports have regularly missed the "[vs]" detail or suggested
embargoes that ended on Fridays, etc.

> > >  - Remove explicit linux-distros email.
> > 
> > I don't like this because we had past trouble with notifications going
> > to the distros@ list and leaking Linux-only flaws to the BSDs. As there
> > isn't a separate linux-distros wiki, the clarification of WHICH list is
> > needed.
> 
> Why would removing the explicit linux-distros email encourage people to
> send reports to it?

What? No, I'm saying we should _keep_ linux-distros@... in our text so
that people don't send to the wrong list.

> I also don't understand what you mean by "there isn't a separate
> linux-distros wiki"? There is one, and I want to point the reporter
> there.

That URL is a combined page for two lists. The very fact that it's
not obvious that there are two lists described there is exactly why I
think we need to keep an explicit mention of which to use. There are
two mailing lists described at the wiki URL:

	      distros@lists.openwall.com
	linux-distros@lists.openwall.com

Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
distros. This has caused leaks in the past, and we do not want people
guessing at which list they should use.

Also note that nowhere on the openwall wiki is the email address
actually spelled out; this is another reason to spell it out in our
documentation: no misunderstanding.

(And historically there WAS a specific linux-distros wiki:
https://oss-security.openwall.org/wiki/mailing-lists/linux-distros
but it redirects to the combined one now...)

> > >  - Remove various explanations of linux-distros policies.
> > 
> > I don't think there's value in removing the Tue-Thu comment, nor
> > providing context for why distros need time. This has been a regular
> > thing we've had to explain to researchers that aren't familiar with
> > update procedures and publication timing.
> 
> To be fair, the Tue-Thu comment is listed in the section describing how
> to do coordination with linux-distros, and linux-distros don't have a
> Tue-Thu policy. If it's a security@kernel.org policy then let's list it
> elsewhere.

It's a distro preference. Many researchers aren't thinking about the
larger Linux ecosystem that has to consume fixes. It's not a _policy_,
but it makes the researchers understand how to construct better embargoes.

> If you feel that there is a consensus around Tue-Thu let's just add it
> to the linux-distros policy wiki, there's no point in listing random
> policies from that wiki.

I think it'd be a good idea to add that note also to the wiki, but I
don't want it removed from our text because I have had to repeat that
information regularly in the past.

-- 
Kees Cook

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Sasha Levin]

On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote:
>On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
>> On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
>> > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
>> > > Provide more information about how to interact with the linux-distros
>> > > mailing list for disclosing security bugs.
>> > >
>> > > Reference the linux-distros list policy and clarify that the reporter
>> > > must read and understand those policies as they differ from
>> > > security@kernel.org's policy.
>> > >
>> > > Suggested-by: Solar Designer <solar@openwall.com>
>> > > Signed-off-by: Sasha Levin <sashal@kernel.org>
>> >
>> > Sorry, but NACK, see below...
>> >
>> > > ---
>> > >
>> > > Changes in v2:
>> > >  - Focus more on pointing to the linux-distros wiki and policies.
>> >
>> > I think this is already happening in the text. What specifically do you
>> > want described differently?
>>
>> The main issue was that there isn't anything pointing to the
>> linux-distros policies. The current text outlines a few of them ("add
>> [vs]", and "there should be an embargo period"), but it effectively just
>> gives out the linux-distros mailing address and tells the reporter to
>> contact it.
>
>The current text includes the wiki link, but yes, the anchor tag is not
>present at the wiki anymore. I would agree that's due for updating.
>
>I think reinforcing information to avoid past mistakes is appropriate
>here. Reports have regularly missed the "[vs]" detail or suggested
>embargoes that ended on Fridays, etc.

Right, but this is a sign that the reporter didn't read the wiki.
Explaining things like this encourages reporters to skip reading the
wiki and just send their report out.

>> > >  - Remove explicit linux-distros email.
>> >
>> > I don't like this because we had past trouble with notifications going
>> > to the distros@ list and leaking Linux-only flaws to the BSDs. As there
>> > isn't a separate linux-distros wiki, the clarification of WHICH list is
>> > needed.
>>
>> Why would removing the explicit linux-distros email encourage people to
>> send reports to it?
>
>What? No, I'm saying we should _keep_ linux-distros@... in our text so
>that people don't send to the wrong list.

But doesn't this just encourage mails being sent to linux-distros@
without the policies being followed? That was Alexander's concern at
least.

>> I also don't understand what you mean by "there isn't a separate
>> linux-distros wiki"? There is one, and I want to point the reporter
>> there.
>
>That URL is a combined page for two lists. The very fact that it's
>not obvious that there are two lists described there is exactly why I
>think we need to keep an explicit mention of which to use. There are
>two mailing lists described at the wiki URL:
>
>	      distros@lists.openwall.com
>	linux-distros@lists.openwall.com
>
>Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
>distros. This has caused leaks in the past, and we do not want people
>guessing at which list they should use.
>
>Also note that nowhere on the openwall wiki is the email address
>actually spelled out; this is another reason to spell it out in our
>documentation: no misunderstanding.
>
>(And historically there WAS a specific linux-distros wiki:
>https://oss-security.openwall.org/wiki/mailing-lists/linux-distros
>but it redirects to the combined one now...)
>
>> > >  - Remove various explanations of linux-distros policies.
>> >
>> > I don't think there's value in removing the Tue-Thu comment, nor
>> > providing context for why distros need time. This has been a regular
>> > thing we've had to explain to researchers that aren't familiar with
>> > update procedures and publication timing.
>>
>> To be fair, the Tue-Thu comment is listed in the section describing how
>> to do coordination with linux-distros, and linux-distros don't have a
>> Tue-Thu policy. If it's a security@kernel.org policy then let's list it
>> elsewhere.
>
>It's a distro preference. Many researchers aren't thinking about the
>larger Linux ecosystem that has to consume fixes. It's not a _policy_,
>but it makes the researchers understand how to construct better embargoes.

If it's an accepted preference then we should just document it in a few
other places like the linux-distros@ wiki. My concern with this is that
it's not, and it's actually one of the only things Alexander pointed out
in this document as surprising.

--
Thanks,
Sasha

>> If you feel that there is a consensus around Tue-Thu let's just add it
>> to the linux-distros policy wiki, there's no point in listing random
>> policies from that wiki.
>
>I think it'd be a good idea to add that note also to the wiki, but I
>don't want it removed from our text because I have had to repeat that
>information regularly in the past.
>
>-- 
>Kees Cook

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Solar Designer]

On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote:
> On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote:
> > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
> > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
> > > > Provide more information about how to interact with the linux-distros
> > > > mailing list for disclosing security bugs.
> > > > 
> > > > Reference the linux-distros list policy and clarify that the reporter
> > > > must read and understand those policies as they differ from
> > > > security@kernel.org's policy.
> > > > 
> > > > Suggested-by: Solar Designer <solar@openwall.com>
> > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > 
> > > Sorry, but NACK, see below...

I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then
I suggest that we apply Sasha's first revision of the patch instead.
I think either revision is an improvement on the status quo.

> I think reinforcing information to avoid past mistakes is appropriate
> here.

Maybe, but from my perspective common past issues with Linux kernel bugs
reported to linux-distros were:

- The reporter having been directed to post from elsewhere (and I
suspect this documentation file) without being aware of list policy.

- The reporter not mentioning (and sometimes not replying even when
asked) whether they're also coordinating with security@k.o or whether
they want someone on linux-distros to help coordinate with security@k.o.
(Maybe this is something we want to write about here.)

- The Linux kernel bug having been introduced too recently to be of much
interest to distros.

> Reports have regularly missed the "[vs]" detail or suggested
> embargoes that ended on Fridays, etc.

This happens too.  Regarding missing the "[vs]" detail, technically
there are also a number of other conditions that also let the message
through, but those are changing and are deliberately not advertised.

> Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> distros.

Right.

> This has caused leaks in the past

Do you mean leaks to *BSD security teams or to the public?  I'm not
aware of past leaks to the public via the non-Linux distros present on
the distros@ list.  Are you?

Alexander

Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros

[Kees Cook]

On Fri, Jul 19, 2019 at 10:42:15AM +0200, Solar Designer wrote:
> - The reporter having been directed to post from elsewhere (and I
> suspect this documentation file) without being aware of list policy.

Perhaps specify "linux-distros@" without a domain, so it's more clear?
Or re-split the Wiki into two pages to avoid confusion?

> - The reporter not mentioning (and sometimes not replying even when
> asked) whether they're also coordinating with security@k.o or whether
> they want someone on linux-distros to help coordinate with security@k.o.
> (Maybe this is something we want to write about here.)

Yeah, that seems useful to include in both places.

> - The Linux kernel bug having been introduced too recently to be of much
> interest to distros.

Right; that'd be good to add as well. I see a lot of panic on twitter,
for example, about bugs that only ever existed in -rc releases.

> > Sending to the distros@ list risks exposing Linux-only flaws to non-Linux
> > distros.
> 
> Right.
> 
> > This has caused leaks in the past
> 
> Do you mean leaks to *BSD security teams or to the public?  I'm not
> aware of past leaks to the public via the non-Linux distros present on
> the distros@ list.  Are you?

I don't know the origin of the leaks, but it only happened when distros@
was used instead of linux-distros@. I think this happened with DirtyCOW,
specifically.

-- 
Kees Cook