[PATCH] Documentation/security-bugs: Explain why plain text is preferred

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] Documentation/security-bugs: Explain why plain text is preferred
@ 2020-07-09 18:11 Kees Cook
  2020-07-09 20:42 ` Will Deacon
                   ` (5 more replies)
  0 siblings, 6 replies; 10+ messages in thread
From: Kees Cook @ 2020-07-09 18:11 UTC (permalink / raw)
  To: Jonathan Corbet; +Cc: Greg Kroah-Hartman, security, linux-doc, linux-kernel

The security contact list gets regular reports contained in archive
attachments. This tends to add some back-and-forth delay in dealing with
security reports since we have to ask for plain text, etc.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
index dcd6c93c7aac..c32eb786201c 100644
--- a/Documentation/admin-guide/security-bugs.rst
+++ b/Documentation/admin-guide/security-bugs.rst
@@ -21,11 +21,18 @@ understand and fix the security vulnerability.
 
 As it is with any bug, the more information provided the easier it
 will be to diagnose and fix.  Please review the procedure outlined in
-admin-guide/reporting-bugs.rst if you are unclear about what
+:doc:`reporting-bugs` if you are unclear about what
 information is helpful.  Any exploit code is very helpful and will not
 be released without consent from the reporter unless it has already been
 made public.
 
+Please send plain text emails without attachments where possible.
+It is much harder to have a context-quoted discussion about a complex
+issue if all the details are hidden away in attachments.  Think of it like a
+:doc:`regular patch submission <../process/submitting-patches>`
+(even if you don't have a patch yet): describe the problem and impact, list
+reproduction steps, and follow it with a proposed fix, all in plain text.
+
 Disclosure and embargoed information
 ------------------------------------
 
-- 
2.25.1


-- 
Kees Cook

^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
@ 2020-07-09 20:42 ` Will Deacon
  2020-07-09 22:17   ` Kees Cook
                     ` (2 more replies)
  2020-07-09 22:50 ` Jiri Kosina
                   ` (4 subsequent siblings)
  5 siblings, 3 replies; 10+ messages in thread
From: Will Deacon @ 2020-07-09 20:42 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jonathan Corbet, Greg Kroah-Hartman, security, linux-doc, linux-kernel

On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> The security contact list gets regular reports contained in archive
> attachments. This tends to add some back-and-forth delay in dealing with
> security reports since we have to ask for plain text, etc.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index dcd6c93c7aac..c32eb786201c 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -21,11 +21,18 @@ understand and fix the security vulnerability.
>  
>  As it is with any bug, the more information provided the easier it
>  will be to diagnose and fix.  Please review the procedure outlined in
> -admin-guide/reporting-bugs.rst if you are unclear about what
> +:doc:`reporting-bugs` if you are unclear about what
>  information is helpful.  Any exploit code is very helpful and will not
>  be released without consent from the reporter unless it has already been
>  made public.
>  
> +Please send plain text emails without attachments where possible.
> +It is much harder to have a context-quoted discussion about a complex
> +issue if all the details are hidden away in attachments.  Think of it like a
> +:doc:`regular patch submission <../process/submitting-patches>`
> +(even if you don't have a patch yet): describe the problem and impact, list
> +reproduction steps, and follow it with a proposed fix, all in plain text.
> +

Acked-by: Will Deacon <will@kernel.org>

Hopefully "plain text" implies unencrypted as much as it does "not html".

Will

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 20:42 ` Will Deacon
@ 2020-07-09 22:17   ` Kees Cook
  2020-07-10  3:45   ` Willy Tarreau
  2020-07-10 10:37   ` Peter Zijlstra
  2 siblings, 0 replies; 10+ messages in thread
From: Kees Cook @ 2020-07-09 22:17 UTC (permalink / raw)
  To: Will Deacon
  Cc: Jonathan Corbet, Greg Kroah-Hartman, security, linux-doc, linux-kernel

On Thu, Jul 09, 2020 at 09:42:56PM +0100, Will Deacon wrote:
> On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> > The security contact list gets regular reports contained in archive
> > attachments. This tends to add some back-and-forth delay in dealing with
> > security reports since we have to ask for plain text, etc.
> > 
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
> >  1 file changed, 8 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> > index dcd6c93c7aac..c32eb786201c 100644
> > --- a/Documentation/admin-guide/security-bugs.rst
> > +++ b/Documentation/admin-guide/security-bugs.rst
> > @@ -21,11 +21,18 @@ understand and fix the security vulnerability.
> >  
> >  As it is with any bug, the more information provided the easier it
> >  will be to diagnose and fix.  Please review the procedure outlined in
> > -admin-guide/reporting-bugs.rst if you are unclear about what
> > +:doc:`reporting-bugs` if you are unclear about what
> >  information is helpful.  Any exploit code is very helpful and will not
> >  be released without consent from the reporter unless it has already been
> >  made public.
> >  
> > +Please send plain text emails without attachments where possible.
> > +It is much harder to have a context-quoted discussion about a complex
> > +issue if all the details are hidden away in attachments.  Think of it like a
> > +:doc:`regular patch submission <../process/submitting-patches>`
> > +(even if you don't have a patch yet): describe the problem and impact, list
> > +reproduction steps, and follow it with a proposed fix, all in plain text.
> > +
> 
> Acked-by: Will Deacon <will@kernel.org>

Thanks!

> 
> Hopefully "plain text" implies unencrypted as much as it does "not html".

I decided not to write a paragraph about how security@ isn't a
role-account with a separate GPG key etc etc. Those cases are rare
enough that I don't think it (yet) warrants a paragraph here. I want to
strike a balance between "all your questions are answered" and "there's
too much here for me to find the answer to my question". :)

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
  2020-07-09 20:42 ` Will Deacon
@ 2020-07-09 22:50 ` Jiri Kosina
  2020-07-09 23:03 ` Gustavo A. R. Silva
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 10+ messages in thread
From: Jiri Kosina @ 2020-07-09 22:50 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jonathan Corbet, Greg Kroah-Hartman, security, linux-doc, linux-kernel

On Thu, 9 Jul 2020, Kees Cook wrote:

> The security contact list gets regular reports contained in archive
> attachments. This tends to add some back-and-forth delay in dealing with
> security reports since we have to ask for plain text, etc.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Jiri Kosina <jkosina@suse.cz>

Thanks,

-- 
Jiri Kosina
SUSE Labs


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
  2020-07-09 20:42 ` Will Deacon
  2020-07-09 22:50 ` Jiri Kosina
@ 2020-07-09 23:03 ` Gustavo A. R. Silva
  2020-07-10  6:49 ` Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 10+ messages in thread
From: Gustavo A. R. Silva @ 2020-07-09 23:03 UTC (permalink / raw)
  To: Kees Cook, Jonathan Corbet
  Cc: Greg Kroah-Hartman, security, linux-doc, linux-kernel



On 7/9/20 13:11, Kees Cook wrote:
> The security contact list gets regular reports contained in archive
> attachments. This tends to add some back-and-forth delay in dealing with
> security reports since we have to ask for plain text, etc.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Thanks
--
Gustavo

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 20:42 ` Will Deacon
  2020-07-09 22:17   ` Kees Cook
@ 2020-07-10  3:45   ` Willy Tarreau
  2020-07-10 10:37   ` Peter Zijlstra
  2 siblings, 0 replies; 10+ messages in thread
From: Willy Tarreau @ 2020-07-10  3:45 UTC (permalink / raw)
  To: Will Deacon
  Cc: Kees Cook, Jonathan Corbet, Greg Kroah-Hartman, security,
	linux-doc, linux-kernel

On Thu, Jul 09, 2020 at 09:42:56PM +0100, Will Deacon wrote:
> Acked-by: Will Deacon <will@kernel.org>
> 
> Hopefully "plain text" implies unencrypted as much as it does "not html".

I would have liked "(i.e. not html)" to be added after "plain text", but
I figured that those who do that often don't even know what this means
so that will probably not help them avoid their messages being stored
into a spambox :-/

Acked-by: Willy Tarreau <w@1wt.eu>

Willy

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
                   ` (2 preceding siblings ...)
  2020-07-09 23:03 ` Gustavo A. R. Silva
@ 2020-07-10  6:49 ` Greg Kroah-Hartman
  2020-07-10 10:36 ` Peter Zijlstra
  2020-07-13 15:37 ` Jonathan Corbet
  5 siblings, 0 replies; 10+ messages in thread
From: Greg Kroah-Hartman @ 2020-07-10  6:49 UTC (permalink / raw)
  To: Kees Cook; +Cc: Jonathan Corbet, security, linux-doc, linux-kernel

On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> The security contact list gets regular reports contained in archive
> attachments. This tends to add some back-and-forth delay in dealing with
> security reports since we have to ask for plain text, etc.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>

Thanks for this, that will hopefully keep us from having to say the same
thing over and over :)

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
                   ` (3 preceding siblings ...)
  2020-07-10  6:49 ` Greg Kroah-Hartman
@ 2020-07-10 10:36 ` Peter Zijlstra
  2020-07-13 15:37 ` Jonathan Corbet
  5 siblings, 0 replies; 10+ messages in thread
From: Peter Zijlstra @ 2020-07-10 10:36 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jonathan Corbet, Greg Kroah-Hartman, security, linux-doc, linux-kernel

On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> The security contact list gets regular reports contained in archive
> attachments. This tends to add some back-and-forth delay in dealing with
> security reports since we have to ask for plain text, etc.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index dcd6c93c7aac..c32eb786201c 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -21,11 +21,18 @@ understand and fix the security vulnerability.
>  
>  As it is with any bug, the more information provided the easier it
>  will be to diagnose and fix.  Please review the procedure outlined in
> -admin-guide/reporting-bugs.rst if you are unclear about what
> +:doc:`reporting-bugs` if you are unclear about what

I can do 'gf' on Documentation/admin-guide/reporting-bugs.rst, I can do
didly squat with crap like :doc:'reporting-bugs'.

NAK

>  information is helpful.  Any exploit code is very helpful and will not
>  be released without consent from the reporter unless it has already been
>  made public.
>  
> +Please send plain text emails without attachments where possible.
> +It is much harder to have a context-quoted discussion about a complex
> +issue if all the details are hidden away in attachments.  Think of it like a
> +:doc:`regular patch submission <../process/submitting-patches>`

More unusable references.

> +(even if you don't have a patch yet): describe the problem and impact, list
> +reproduction steps, and follow it with a proposed fix, all in plain text.
> +

You forgot to mention that opening complex file formats is a security
risk all of its own.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 20:42 ` Will Deacon
  2020-07-09 22:17   ` Kees Cook
  2020-07-10  3:45   ` Willy Tarreau
@ 2020-07-10 10:37   ` Peter Zijlstra
  2 siblings, 0 replies; 10+ messages in thread
From: Peter Zijlstra @ 2020-07-10 10:37 UTC (permalink / raw)
  To: Will Deacon
  Cc: Kees Cook, Jonathan Corbet, Greg Kroah-Hartman, security,
	linux-doc, linux-kernel

On Thu, Jul 09, 2020 at 09:42:56PM +0100, Will Deacon wrote:
> On Thu, Jul 09, 2020 at 11:11:30AM -0700, Kees Cook wrote:
> > The security contact list gets regular reports contained in archive
> > attachments. This tends to add some back-and-forth delay in dealing with
> > security reports since we have to ask for plain text, etc.
> > 
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
> >  1 file changed, 8 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> > index dcd6c93c7aac..c32eb786201c 100644
> > --- a/Documentation/admin-guide/security-bugs.rst
> > +++ b/Documentation/admin-guide/security-bugs.rst
> > @@ -21,11 +21,18 @@ understand and fix the security vulnerability.
> >  
> >  As it is with any bug, the more information provided the easier it
> >  will be to diagnose and fix.  Please review the procedure outlined in
> > -admin-guide/reporting-bugs.rst if you are unclear about what
> > +:doc:`reporting-bugs` if you are unclear about what
> >  information is helpful.  Any exploit code is very helpful and will not
> >  be released without consent from the reporter unless it has already been
> >  made public.
> >  
> > +Please send plain text emails without attachments where possible.
> > +It is much harder to have a context-quoted discussion about a complex
> > +issue if all the details are hidden away in attachments.  Think of it like a
> > +:doc:`regular patch submission <../process/submitting-patches>`
> > +(even if you don't have a patch yet): describe the problem and impact, list
> > +reproduction steps, and follow it with a proposed fix, all in plain text.
> > +
> 
> Acked-by: Will Deacon <will@kernel.org>
> 
> Hopefully "plain text" implies unencrypted as much as it does "not html".

Or that RST crap :-(

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] Documentation/security-bugs: Explain why plain text is preferred
  2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
                   ` (4 preceding siblings ...)
  2020-07-10 10:36 ` Peter Zijlstra
@ 2020-07-13 15:37 ` Jonathan Corbet
  5 siblings, 0 replies; 10+ messages in thread
From: Jonathan Corbet @ 2020-07-13 15:37 UTC (permalink / raw)
  To: Kees Cook; +Cc: Greg Kroah-Hartman, security, linux-doc, linux-kernel

On Thu, 9 Jul 2020 11:11:30 -0700
Kees Cook <keescook@chromium.org> wrote:

> The security contact list gets regular reports contained in archive
> attachments. This tends to add some back-and-forth delay in dealing with
> security reports since we have to ask for plain text, etc.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  Documentation/admin-guide/security-bugs.rst | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)

Applied, thanks.

jon

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2020-07-13 15:37 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-09 18:11 [PATCH] Documentation/security-bugs: Explain why plain text is preferred Kees Cook
2020-07-09 20:42 ` Will Deacon
2020-07-09 22:17   ` Kees Cook
2020-07-10  3:45   ` Willy Tarreau
2020-07-10 10:37   ` Peter Zijlstra
2020-07-09 22:50 ` Jiri Kosina
2020-07-09 23:03 ` Gustavo A. R. Silva
2020-07-10  6:49 ` Greg Kroah-Hartman
2020-07-10 10:36 ` Peter Zijlstra
2020-07-13 15:37 ` Jonathan Corbet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).