From: Krzysztof Kozlowski <krzk@kernel.org>
To: Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Marek Szyprowski <m.szyprowski@samsung.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Brooke Basile <brookebasile@gmail.com>,
Felipe Balbi <balbi@kernel.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Krzysztof Kozlowski <krzk@kernel.org>
Subject: [PATCH 2/2] docs: admin-guide: Not every security bug should be kept hidden
Date: Thu, 27 Aug 2020 12:53:19 +0200 [thread overview]
Message-ID: <20200827105319.9734-2-krzk@kernel.org> (raw)
In-Reply-To: <20200827105319.9734-1-krzk@kernel.org>
Document describes the process of handling security bugs but does not
mention any criteria what is a "security bug". Unlike
submitting-patches.rst which explicitly says - publicly exploitable bug.
Many NULL pointer exceptions, off-by-one errors or overflows tend
to look like security bug, so there might be a temptation to discuss
them behind security list which is not an open list.
Such discussion limits the amount of testing and independent reviewing.
Sacrificing open discussion is understandable in the case of real
security issues but not for regular bugs. These should be discussed
publicly.
At the end, "security problems are just bugs".
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
---
Follow up to:
https://lore.kernel.org/linux-usb/1425ab4f-ef7e-97d9-238f-0328ab51eb35@samsung.com/
---
Documentation/admin-guide/security-bugs.rst | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
index c32eb786201c..7ebddbd4bbcd 100644
--- a/Documentation/admin-guide/security-bugs.rst
+++ b/Documentation/admin-guide/security-bugs.rst
@@ -78,6 +78,12 @@ include linux-distros from the start. In this case, remember to prefix
the email Subject line with "[vs]" as described in the linux-distros wiki:
<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
+Fixes for non-exploitable bugs which do not pose a real security risk, should
+be disclosed in a regular way of submitting patches to Linux kernel (see
+:ref:`Documentation/process/submitting-patches.rst <submitting-patches>`).
+Just because patch fixes some off-by-one or NULL pointer exception, does not
+classify it as a security bug which should be discussed in closed channels.
+
CVE assignment
--------------
--
2.17.1
next prev parent reply other threads:[~2020-08-27 12:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 10:53 [PATCH 1/2] docs: process: Add cross-link to security-bugs Krzysztof Kozlowski
2020-08-27 10:53 ` Krzysztof Kozlowski [this message]
2020-08-27 12:11 ` [PATCH 2/2] docs: admin-guide: Not every security bug should be kept hidden Greg Kroah-Hartman
2020-08-27 13:10 ` Krzysztof Kozlowski
2020-08-27 17:54 ` Kees Cook
2020-08-27 12:07 ` [PATCH 1/2] docs: process: Add cross-link to security-bugs Greg Kroah-Hartman
2020-08-27 13:28 ` Felipe Balbi
2020-08-31 22:28 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200827105319.9734-2-krzk@kernel.org \
--to=krzk@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=b.zolnierkie@samsung.com \
--cc=balbi@kernel.org \
--cc=brookebasile@gmail.com \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=konstantin@linuxfoundation.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).