Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2055571ybi; Thu, 18 Jul 2019 02:42:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqzO5xsHdQ2anC9r1c+ABImuK4sj1wOd0S62nuJl+4/QDrrZHD1P+9GDWGw0Ud5mdVd+W1IE X-Received: by 2002:a17:902:7087:: with SMTP id z7mr48475220plk.184.1563442942747; Thu, 18 Jul 2019 02:42:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563442942; cv=none; d=google.com; s=arc-20160816; b=E6cu52hNTo35T5nSKHshXRaRwxjLWpkLoIG7BIBeMaxXzAZxLIzuETkyjnustEeHvY l+erc2T5lvKvUbIsCC99HBFdB8aWcGRE3FFI0dLAEA9gSNmDShTkGSZAu3xxfDy74S4x 0bEO10Yidwzpir//MGiC855ZTPCiheuGOeFl7l+RNXzEiC+9NSZNdmXiICRoaxDNS8rn CUj9NeEJo1LSJPiPiWbOTvuGTzPJaNTAeqd5w2tsMRrpVc302qdWQmXt3azYxN73nhaI dXfmaIjZKKDYUSbUw9LEUakX3kn5mpjYNypxNECwo5bf2NHi5V6uNIW71RoDSnhnRoTY 340w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=x6A2CPdHmfolavwWxGJxuHaW03Tu4DKnfAmb1+tl3u4=; b=xRP4sLLrArvnZb2SHaJaIycRCKRQR48p1+I4+ly0+EYDRNFMpWdQVoz7KOKdzD4Jvi 3cylNurdH2V1bwUX00BhBL06kSNs666MetEXcnBFdDFbxDtXfVHVVQNb+XgRQx7lPpfQ kasvMGVZ/2v7ADSRJOMgfI52/bl8QC95ixS7ULZsM4g7dTLoGGTFTOiEJbQFoMqrPr2y D/TPNC9kEF2shmOopkNYgk4/c9c4GXpxvsxuUaIQLI6+iaSF0YLLUIZNpqCuSVbnesyM Oe/haj8DL+P03i0Oc72DjGhy8COh+aM86KAkY5q94tOBpGbMXLGByZpUkduBh/OOzS/b lakw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jrd5WeEq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q5si24549284pll.279.2019.07.18.02.42.06; Thu, 18 Jul 2019 02:42:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jrd5WeEq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389678AbfGRJlE (ORCPT + 99 others); Thu, 18 Jul 2019 05:41:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:38294 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726383AbfGRJlE (ORCPT ); Thu, 18 Jul 2019 05:41:04 -0400 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6142020693; Thu, 18 Jul 2019 09:41:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563442863; bh=Fb8G4A6qNsFSNyTCqbMQF4OAkTQ4OaRytPgjtUsYaLo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=jrd5WeEqzVllZPvqHA2derQJOjaJMgl1cRPtdhd4JTR6VIzWosvQnbtbTRzTo2xsw /Ky87P7Vyg+Kaus0cqXk+xlpT3bMg475D0qpYYr8shY0/MrcHaXLtemI87M7T/MXom fdHOYqWmZMo0haGl/5m8rYTPG3cuaRl6TUxEHQd0= Date: Thu, 18 Jul 2019 10:40:58 +0100 From: Will Deacon To: Sasha Levin Cc: corbet@lwn.net, solar@openwall.com, keescook@chromium.org, peterz@infradead.org, gregkh@linuxfoundation.org, tyhicks@canonical.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros Message-ID: <20190718094057.e4nclrw6qd2t4vw7@willie-the-truck> References: <20190717231103.13949-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190717231103.13949-1-sashal@kernel.org> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote: > Provide more information about how to interact with the linux-distros > mailing list for disclosing security bugs. > > Reference the linux-distros list policy and clarify that the reporter > must read and understand those policies as they differ from > security@kernel.org's policy. > > Suggested-by: Solar Designer > Signed-off-by: Sasha Levin > --- > > Changes in v2: > - Focus more on pointing to the linux-distros wiki and policies. > - Remove explicit linux-distros email. > - Remove various explanations of linux-distros policies. > > Documentation/admin-guide/security-bugs.rst | 19 +++++++++---------- > 1 file changed, 9 insertions(+), 10 deletions(-) > > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst > index dcd6c93c7aac..380d44fd618d 100644 > --- a/Documentation/admin-guide/security-bugs.rst > +++ b/Documentation/admin-guide/security-bugs.rst > @@ -60,16 +60,15 @@ Coordination > ------------ > > Fixes for sensitive bugs, such as those that might lead to privilege > -escalations, may need to be coordinated with the private > - mailing list so that distribution vendors > -are well prepared to issue a fixed kernel upon public disclosure of the > -upstream fix. Distros will need some time to test the proposed patch and > -will generally request at least a few days of embargo, and vendor update > -publication prefers to happen Tuesday through Thursday. When appropriate, > -the security team can assist with this coordination, or the reporter can > -include linux-distros from the start. In this case, remember to prefix > -the email Subject line with "[vs]" as described in the linux-distros wiki: > - > +escalations, may need to be coordinated with the private linux-distros mailing > +list so that distribution vendors are well prepared to issue a fixed kernel > +upon public disclosure of the upstream fix. Please read and follow the policies > +of linux-distros as specified in the linux-distros wiki page before reporting: can we add a "there" at the end of this sentence, so it can't be misread as implying that you must follow the linux-distros policies before reporting to security@kernel.org ? Will