linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules
@ 2023-10-15 13:09 Willy Tarreau
  2023-10-23  2:31 ` Jonathan Corbet
  0 siblings, 1 reply; 4+ messages in thread
From: Willy Tarreau @ 2023-10-15 13:09 UTC (permalink / raw)
  To: linux-doc
  Cc: linux-kernel, Jiri Kosina, security, corbet, workflows,
	Willy Tarreau, Greg Kroah-Hartman, Kees Cook, Solar Designer,
	Vegard Nossum

The linux-distros list relaxed their rules to try to adapt better to
how the Linux kernel works. Let's update the Coordination part to
explain why and when to contact them or not to and how to avoid trouble
in the future.

Link: https://www.openwall.com/lists/oss-security/2023/09/08/4
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Solar Designer <solar@openwall.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

This is the final version for merging. Changes since RFC:
  - s/BEFORE/UNTIL from Vegard
  - improved wording from Alexander
  - acked-by from Jiri

Thanks!
Willy

---
 Documentation/process/security-bugs.rst | 35 ++++++++++++++++++-------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 5a6993795bd2..692a3ba56cca 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -66,15 +66,32 @@ lifted, in perpetuity.
 Coordination with other groups
 ------------------------------
 
-The kernel security team strongly recommends that reporters of potential
-security issues NEVER contact the "linux-distros" mailing list until
-AFTER discussing it with the kernel security team.  Do not Cc: both
-lists at once.  You may contact the linux-distros mailing list after a
-fix has been agreed on and you fully understand the requirements that
-doing so will impose on you and the kernel community.
-
-The different lists have different goals and the linux-distros rules do
-not contribute to actually fixing any potential security problems.
+While the kernel security team solely focuses on getting bugs fixed,
+other groups focus on fixing issues in distros and coordinating
+disclosure between operating system vendors.  Coordination is usually
+handled by the "linux-distros" mailing list and disclosure by the
+public "oss-security" mailing list, both of which are closely related
+and presented in the linux-distros wiki:
+<https://oss-security.openwall.org/wiki/mailing-lists/distros>
+
+Please note that the respective policies and rules are different since
+the 3 lists pursue different goals.  Coordinating between the kernel
+security team and other teams is difficult since for the kernel security
+team occasional embargoes (as subject to a maximum allowed number of
+days) start from the availability of a fix, while for "linux-distros"
+they start from the initial post to the list regardless of the
+availability of a fix.
+
+As such, the kernel security team strongly recommends that as a reporter
+of a potential security issue you DO NOT contact the "linux-distros"
+mailing list UNTIL a fix is accepted by the affected code's maintainers
+and you have read the distros wiki page above and you fully understand
+the requirements that contacting "linux-distros" will impose on you and
+the kernel community.  This also means that in general it doesn't make
+sense to Cc: both lists at once, except maybe for coordination if and
+while an accepted fix has not yet been merged.  In other words, until a
+fix is accepted do not Cc: "linux-distros", and after it's merged do not
+Cc: the kernel security team.
 
 CVE assignment
 --------------
-- 
2.17.5


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules
  2023-10-15 13:09 [PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules Willy Tarreau
@ 2023-10-23  2:31 ` Jonathan Corbet
  2023-10-24  9:24   ` Greg Kroah-Hartman
  0 siblings, 1 reply; 4+ messages in thread
From: Jonathan Corbet @ 2023-10-23  2:31 UTC (permalink / raw)
  To: Willy Tarreau, linux-doc
  Cc: linux-kernel, Jiri Kosina, security, workflows, Willy Tarreau,
	Greg Kroah-Hartman, Kees Cook, Solar Designer, Vegard Nossum

Willy Tarreau <w@1wt.eu> writes:

> The linux-distros list relaxed their rules to try to adapt better to
> how the Linux kernel works. Let's update the Coordination part to
> explain why and when to contact them or not to and how to avoid trouble
> in the future.
>
> Link: https://www.openwall.com/lists/oss-security/2023/09/08/4
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Solar Designer <solar@openwall.com>
> Cc: Vegard Nossum <vegard.nossum@oracle.com>
> Acked-by: Jiri Kosina <jkosina@suse.cz>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>
> This is the final version for merging. Changes since RFC:
>   - s/BEFORE/UNTIL from Vegard
>   - improved wording from Alexander
>   - acked-by from Jiri

Greg, you've taken changes to this file in the past; do you want to grab
this one or should I pick it up?

Thanks,

jon

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules
  2023-10-23  2:31 ` Jonathan Corbet
@ 2023-10-24  9:24   ` Greg Kroah-Hartman
  2023-10-24 16:20     ` Willy Tarreau
  0 siblings, 1 reply; 4+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-24  9:24 UTC (permalink / raw)
  To: Jonathan Corbet
  Cc: Willy Tarreau, linux-doc, linux-kernel, Jiri Kosina, security,
	workflows, Kees Cook, Solar Designer, Vegard Nossum

On Sun, Oct 22, 2023 at 08:31:45PM -0600, Jonathan Corbet wrote:
> Willy Tarreau <w@1wt.eu> writes:
> 
> > The linux-distros list relaxed their rules to try to adapt better to
> > how the Linux kernel works. Let's update the Coordination part to
> > explain why and when to contact them or not to and how to avoid trouble
> > in the future.
> >
> > Link: https://www.openwall.com/lists/oss-security/2023/09/08/4
> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Solar Designer <solar@openwall.com>
> > Cc: Vegard Nossum <vegard.nossum@oracle.com>
> > Acked-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Willy Tarreau <w@1wt.eu>
> > ---
> >
> > This is the final version for merging. Changes since RFC:
> >   - s/BEFORE/UNTIL from Vegard
> >   - improved wording from Alexander
> >   - acked-by from Jiri
> 
> Greg, you've taken changes to this file in the past; do you want to grab
> this one or should I pick it up?

I was hoping there would be other reviewers of it, but I guess not.
I'll take it through my tree now, thanks!

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules
  2023-10-24  9:24   ` Greg Kroah-Hartman
@ 2023-10-24 16:20     ` Willy Tarreau
  0 siblings, 0 replies; 4+ messages in thread
From: Willy Tarreau @ 2023-10-24 16:20 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Jonathan Corbet, linux-doc, linux-kernel, Jiri Kosina, security,
	workflows, Kees Cook, Solar Designer, Vegard Nossum

On Tue, Oct 24, 2023 at 11:24:27AM +0200, Greg Kroah-Hartman wrote:
> On Sun, Oct 22, 2023 at 08:31:45PM -0600, Jonathan Corbet wrote:
> > Willy Tarreau <w@1wt.eu> writes:
> > 
> > > The linux-distros list relaxed their rules to try to adapt better to
> > > how the Linux kernel works. Let's update the Coordination part to
> > > explain why and when to contact them or not to and how to avoid trouble
> > > in the future.
> > >
> > > Link: https://www.openwall.com/lists/oss-security/2023/09/08/4
> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > Cc: Kees Cook <keescook@chromium.org>
> > > Cc: Solar Designer <solar@openwall.com>
> > > Cc: Vegard Nossum <vegard.nossum@oracle.com>
> > > Acked-by: Jiri Kosina <jkosina@suse.cz>
> > > Signed-off-by: Willy Tarreau <w@1wt.eu>
> > > ---
> > >
> > > This is the final version for merging. Changes since RFC:
> > >   - s/BEFORE/UNTIL from Vegard
> > >   - improved wording from Alexander
> > >   - acked-by from Jiri
> > 
> > Greg, you've taken changes to this file in the past; do you want to grab
> > this one or should I pick it up?
> 
> I was hoping there would be other reviewers of it, but I guess not.

I'm pretty sure non-technical stuff like this actually bores everyone,
starting from us; when I proposed you to work on it, I was already
convinced that nobody would have stolen me that task!

> I'll take it through my tree now, thanks!

Thank you!
Willy

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-10-24 16:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-15 13:09 [PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules Willy Tarreau
2023-10-23  2:31 ` Jonathan Corbet
2023-10-24  9:24   ` Greg Kroah-Hartman
2023-10-24 16:20     ` Willy Tarreau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).