Date: Tue, 24 May 2022 15:29:29 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: linux-distros list policy and Linux kernel On Sun, May 22, 2022 at 09:19:51PM +0200, Solar Designer wrote: > it looks like Vegard > Nossum and maybe Thadeu Lima de Souza Cascardo intend to propose changes > to the kernel's Documentation/admin-guide/security-bugs.rst: > > On Fri, May 20, 2022 at 10:14:07AM +0200, Vegard Nossum wrote: > > I'll respond a bit later with a slightly more detailed option that also > > includes potential modifications to the in-kernel documentation as > > displayed on kernel.org. Reports of Linux kernel issues sent to linux-distros tend to ignore our policies - not only in terms of the aspect that started this thread, but also in that the reporter doesn't propose a specific date/time for making the issue (fully) public (maybe doesn't intend to do so themselves at all) and doesn't know/care/want to make a possible PoC public (if they shared that with linux-distros). Overall, it looks like they're not reading our policy at all until we ask them to. Documentation/admin-guide/security-bugs.rst gives the list posting address and mentions the [vs] prefix. It also does link to the wiki, but that makes actually visiting the wiki and reading the policy technically optional. Maybe only the wiki link should be kept, and the posting address removed. Alternatively, if a dependency on the wiki is undesirable, maybe the Linux kernel documentation should include a copy of linux-distros instructions for reporters (copied from the wiki, including the posting address) in a nearby text file (and add to it the wiki link for a possibly more current revision), and refer to that. There's also this: "Distros will need some time to test the proposed patch and will generally request at least a few days of embargo" which kind of goes against our request that the reporter be the first to propose a tentative public disclosure date/time. So I suggest the above phrase be dropped. If there are no objections, Vegard can you please suggest specific edits accordingly, and if there are no objections to those either, then submit them as a patch? Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.