Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3084843ybi; Thu, 18 Jul 2019 20:42:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqwBakm+C1ftt7GUyLiXi6nImq6Lsljzm163WWB56Jtqv0OLz4wJ96bKb0SnsN7OQ65OS+nx X-Received: by 2002:a17:902:758d:: with SMTP id j13mr51244498pll.197.1563507748549; Thu, 18 Jul 2019 20:42:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563507748; cv=none; d=google.com; s=arc-20160816; b=ozbv21tMdPnOKYVcLv6bXRQSDvdygVGEovD0PDhDHnYjb/ISB7fD09FWJATYySe/gQ ZJZc1p0rqODRI0G5nGN3WvUd9r6674YpYYaNqb7+RhRxZc59TTfWzqz1pqeo5dFm6lBu yOHlo7AT2d7Z0OkTPs3ISTe27fggJz29F4eap+klxpSlvUf0MAY20KB8i/7s2tmPq1XX XN1n9n5+/VHWz4c0UFtPNGRutNkII7Lzn2aq5QlUCVUEvvfx3yIbAej88m4IyF7dUTFO 7KAcmdLw6bNArs1e+orNmWQBxl6hJyOJaImhmUe4IzBFUYhOKQ/kvdbtQk6p4jHG4ME8 UAcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=j5xcNDnRb5GmSx1r26/dCN6RTTqEIGmlNOXp+0cj7ls=; b=PvJ/gmsq6ArvF8R59RhMYWz8SOvA880LgGzEZL3ukjc5biSilLMvZab2gzaQFHI6K0 mDtghZEv56dtXnNLTcaTx18K8h+AmSJhBrVff3kL1CrNPJT4k/vt2kny7Cw1csUCTPTa KuR9OdWQOY2981/7ScBx6uM3Mw0pJtUtbdgN4+mJqy1eYFu70TPqgr5biZojQZ96EcB9 yMfViH49ncN4CGq6+sHZwgNgQvZRz/unQGwuNa8BTZRbO26n/4FxBs61Snajm8LHVWMC UwwFHRxHDix+gEgdYcpvC6FuThnd9DgslkI9nqMm9uQxseDdT/XKo87v4+9ehkWdcMOY y/Kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=idvmJqXg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v27si417160pgn.14.2019.07.18.20.42.12; Thu, 18 Jul 2019 20:42:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=idvmJqXg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726724AbfGSDlQ (ORCPT + 99 others); Thu, 18 Jul 2019 23:41:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:53746 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726055AbfGSDlQ (ORCPT ); Thu, 18 Jul 2019 23:41:16 -0400 Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7DAF62173B; Fri, 19 Jul 2019 03:41:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563507674; bh=fGenb1Mo2TQisp4uP/EkQQBPHk9tuT2DgTBPWSW/Zsg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=idvmJqXg+JMJL13zM+eQc6WBWK73ywhbWBURHgDuVkhBIafYZGFfF68P+Rj1mfAeJ NmihOb5H26CPilkCB88yPRVo+3+yfAossIppQ3jPNaxVZy+d0Dt5kTEVIZVyyboSOM ESfa3IiiiRlVO54Ft6UQee6w0FSEM+BbdbRyLw2w= Date: Thu, 18 Jul 2019 23:41:13 -0400 From: Sasha Levin To: Kees Cook Cc: corbet@lwn.net, solar@openwall.com, will@kernel.org, peterz@infradead.org, gregkh@linuxfoundation.org, tyhicks@canonical.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros Message-ID: <20190719034113.GD4240@sasha-vm> References: <20190717231103.13949-1-sashal@kernel.org> <201907181457.D61AC061C@keescook> <20190719003919.GC4240@sasha-vm> <201907181833.EF0D93C@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <201907181833.EF0D93C@keescook> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote: >On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote: >> On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote: >> > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote: >> > > Provide more information about how to interact with the linux-distros >> > > mailing list for disclosing security bugs. >> > > >> > > Reference the linux-distros list policy and clarify that the reporter >> > > must read and understand those policies as they differ from >> > > security@kernel.org's policy. >> > > >> > > Suggested-by: Solar Designer >> > > Signed-off-by: Sasha Levin >> > >> > Sorry, but NACK, see below... >> > >> > > --- >> > > >> > > Changes in v2: >> > > - Focus more on pointing to the linux-distros wiki and policies. >> > >> > I think this is already happening in the text. What specifically do you >> > want described differently? >> >> The main issue was that there isn't anything pointing to the >> linux-distros policies. The current text outlines a few of them ("add >> [vs]", and "there should be an embargo period"), but it effectively just >> gives out the linux-distros mailing address and tells the reporter to >> contact it. > >The current text includes the wiki link, but yes, the anchor tag is not >present at the wiki anymore. I would agree that's due for updating. > >I think reinforcing information to avoid past mistakes is appropriate >here. Reports have regularly missed the "[vs]" detail or suggested >embargoes that ended on Fridays, etc. Right, but this is a sign that the reporter didn't read the wiki. Explaining things like this encourages reporters to skip reading the wiki and just send their report out. >> > > - Remove explicit linux-distros email. >> > >> > I don't like this because we had past trouble with notifications going >> > to the distros@ list and leaking Linux-only flaws to the BSDs. As there >> > isn't a separate linux-distros wiki, the clarification of WHICH list is >> > needed. >> >> Why would removing the explicit linux-distros email encourage people to >> send reports to it? > >What? No, I'm saying we should _keep_ linux-distros@... in our text so >that people don't send to the wrong list. But doesn't this just encourage mails being sent to linux-distros@ without the policies being followed? That was Alexander's concern at least. >> I also don't understand what you mean by "there isn't a separate >> linux-distros wiki"? There is one, and I want to point the reporter >> there. > >That URL is a combined page for two lists. The very fact that it's >not obvious that there are two lists described there is exactly why I >think we need to keep an explicit mention of which to use. There are >two mailing lists described at the wiki URL: > > distros@lists.openwall.com > linux-distros@lists.openwall.com > >Sending to the distros@ list risks exposing Linux-only flaws to non-Linux >distros. This has caused leaks in the past, and we do not want people >guessing at which list they should use. > >Also note that nowhere on the openwall wiki is the email address >actually spelled out; this is another reason to spell it out in our >documentation: no misunderstanding. > >(And historically there WAS a specific linux-distros wiki: >https://oss-security.openwall.org/wiki/mailing-lists/linux-distros >but it redirects to the combined one now...) > >> > > - Remove various explanations of linux-distros policies. >> > >> > I don't think there's value in removing the Tue-Thu comment, nor >> > providing context for why distros need time. This has been a regular >> > thing we've had to explain to researchers that aren't familiar with >> > update procedures and publication timing. >> >> To be fair, the Tue-Thu comment is listed in the section describing how >> to do coordination with linux-distros, and linux-distros don't have a >> Tue-Thu policy. If it's a security@kernel.org policy then let's list it >> elsewhere. > >It's a distro preference. Many researchers aren't thinking about the >larger Linux ecosystem that has to consume fixes. It's not a _policy_, >but it makes the researchers understand how to construct better embargoes. If it's an accepted preference then we should just document it in a few other places like the linux-distros@ wiki. My concern with this is that it's not, and it's actually one of the only things Alexander pointed out in this document as surprising. -- Thanks, Sasha >> If you feel that there is a consensus around Tue-Thu let's just add it >> to the linux-distros policy wiki, there's no point in listing random >> policies from that wiki. > >I think it'd be a good idea to add that note also to the wiki, but I >don't want it removed from our text because I have had to repeat that >information regularly in the past. > >-- >Kees Cook