From: Florian Weimer <fw@deneb.enyo.de>
To: Chris Wright <chrisw@osdl.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: thoughts on kernel security issues
References: <20050112094807.K24171@build.pdx.osdl.net>
Date: Wed, 12 Jan 2005 20:43:07 +0100
In-Reply-To: <20050112094807.K24171@build.pdx.osdl.net> (Chris Wright's
	message of "Wed, 12 Jan 2005 09:48:07 -0800")
Message-ID: <87r7kqe8ms.fsf@deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1420
Lines: 33

* Chris Wright:

> This same discussion is taking place in a few forums.  Are you opposed to
> creating a security contact point for the kernel for people to contact
> with potential security issues?

Would this be anything but a secretary in front of vendor-sec?

> http://www.wiretrip.net/rfp/policy.html
>
> Right now most things come in via 1) lkml, 2) maintainers, 3) vendor-sec.
> It would be nice to have a more centralized place for all of this
> information to help track it, make sure things don't fall through
> the cracks, and make sure of timely fix and disclosure.

You mean, like issuing *security* *advisories*? *gasp*

I think this is an absolute must (and we are certainly not alone!),
but this project does not depend on the way the initial initial
contact is handled.

> +      If it is a security bug, please copy the Security Contact listed
> +in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.

If this is about delayed disclosure, a few more details are required,
IMHO.  Otherwise, submitters will continue to use their
well-established channels.  Most people hesitate before posting stuff
they view sensitive to a mailing list.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/