Received: by 10.223.185.111 with SMTP id b44csp738472wrg;
        Fri, 9 Mar 2018 12:47:21 -0800 (PST)
X-Google-Smtp-Source: AG47ELuUdxddHgNhcfgMx7MYOadq0AMtsnp/2qPnLcN2dRL7Zc12oHXeT9TKdI17LNCfZW7HNkS3
X-Received: by 10.98.133.86 with SMTP id u83mr31520074pfd.172.1520628441725;
        Fri, 09 Mar 2018 12:47:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520628441; cv=none;
        d=google.com; s=arc-20160816;
        b=j5TD9t++DL7HzUOE5rSBbTgVoRlmkunaPKWYAnklZdwR+ncfazWt00t40XqU6HVHoq
         V8+PTmHZq1yIDhL5XjDZJhdfGaedrMYvSPU5IfUSraekH0NEhQZEbajFUQPV6F0nMKhS
         rOcA0TxsYZp1rrs7DIYusjHj0igAaGtzvMsfG9jVp1gn+fEtpM5p/8QD2JRBaPEZ75rp
         51jcD8KU+/c9i/zrPxzUw03LDGQVGtmRU23dru7Q4m2Kkocxi6DL2JXQ80deCbzMusUH
         wGYicdX7QhIgMbm+s/Htdp/NTlK0YLIjX3yRh14xzNqHWaJIOALZ+fgZ5Q/eyb+fvyOE
         2m6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:message-id:subject:cc:to:from
         :date:arc-authentication-results;
        bh=qCeAP+x4t+kan3ATeUAJVxBVW/JMlVP86QBzAAJOfPg=;
        b=SwUkz4w/MWRVxc37nJBOYXBt2HHmhRxlnSmy+arJ5rPH1iSOxIE3LzASognwcMU2fl
         wbYlXb/pY7uaUosHG4OYkbdKcZluaTyT/N1kBxDG+Gxc14/ErBEymBIFt/dWy5/pWX0H
         0EwyYTUOVLdOjsygTjqOo0621Qeeb26dVPY2bU+xMdAxTBSmnku/+/qOtsOOu0EMWXLK
         tEVRRfmRkAcv7Ix1kpGjQpmqdvqyX3p/KnUABDzkwfr30sx3pvsP6qI38GG+/V15H8Z6
         8QIh3hRGvPxTWdXbSr4SgqZxp0os26u6MnvV2YSUQXi44/0aUtVIRwYvoNEYWYsuCcQK
         vUMg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x3si1210871pgr.279.2018.03.09.12.47.06;
        Fri, 09 Mar 2018 12:47:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932371AbeCIUqE (ORCPT <rfc822;kernelgary@gmail.com> + 99 others);
        Fri, 9 Mar 2018 15:46:04 -0500
Received: from www.llwyncelyn.cymru ([82.70.14.225]:58070 "EHLO fuzix.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751219AbeCIUqC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Mar 2018 15:46:02 -0500
Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226])
        by fuzix.org (8.15.2/8.15.2) with ESMTP id w29KjRj5015926;
        Fri, 9 Mar 2018 20:45:27 GMT
Date:   Fri, 9 Mar 2018 20:45:26 +0000
From:   Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To:     Dave Hansen <dave.hansen@linux.intel.com>
Cc:     linux-kernel@vger.kernel.org, dan.j.williams@intel.com,
        tglx@linutronix.de, gregkh@linuxfoundation.org,
        torvalds@linux-foundation.org, aarcange@redhat.com,
        luto@kernel.org, keescook@google.com, tim.c.chen@linux.intel.com,
        viro@zeniv.linux.org.uk, akpm@linux-foundation.org,
        linux-doc@vger.kernel.org, corbet@lwn.net, mark.rutland@arm.com
Subject: Re: [PATCH] [v2] docs: clarify security-bugs disclosure policy
Message-ID: <20180309204526.56301f43@alans-desktop>
In-Reply-To: <20180307214624.D4361772@viggo.jf.intel.com>
References: <20180307214624.D4361772@viggo.jf.intel.com>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 07 Mar 2018 13:46:24 -0800
Dave Hansen <dave.hansen@linux.intel.com> wrote:

> From: Dave Hansen <dave.hansen@linux.intel.com>
> 
> I think we need to soften the language a bit.  It might scare folks
> off, especially the:
> 
> 	 We prefer to fully disclose the bug as soon as possible.
> 
> which is not really the case.  Linus says:
> 
> 	It's not full disclosure, it's not coordinated disclosure,
> 	and it's not "no disclosure".  It's more like just "timely
> 	open fixes".
> 
> I changed a bit of the wording in here, but mostly to remove the word
> "disclosure" since it seems to mean very specific things to people
> that we do not mean here.
> 

If you want to be taken seriously then I think minimum you also need to
- Give a GPG key for messages to the list
- State what security is in place (encryption etc) to protect the list
  itself

There are probably a lot more things people would ask but given the
policy now clear that it's basically just an 'early tip off'/'make sure
Linus doesn't miss this' list for very short notification periods doesn't
matter so much.

Alan