Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3346791ybi; Fri, 19 Jul 2019 01:44:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqzH6cDmrVGBxmG62XrDzeTG1Ow59l+1ziDmrxShvQvE6a2mCuNQFNQwx1iqGqy7eqBjIQEl X-Received: by 2002:a17:902:e011:: with SMTP id ca17mr56657515plb.328.1563525891390; Fri, 19 Jul 2019 01:44:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563525891; cv=none; d=google.com; s=arc-20160816; b=QJZYyqYaHYh+OYOYGU+yEE7K6v7SUeUWl7o/cZkHKSnekqmMsKUPpPhILiNXR2a3Yb PqcOria0IlFfinpWK9OSFCn0GVNExOtVx0HV1zTO5b/XqkLTX0uG0H1BUOMVBQh0e1m5 L0GDvwgztqZDX6n+oy2rSNmQlxcfsB+YPG3+kkH5v7edFITRxVC5xI/WuHlvuMT68XVS ZO9pJ7D7QDZ/jtoo3AIl+GyV4LIL+bEL1iOHNrsFtI3Ba3dznB5uJBD2llUftvgLz+Nw iNPxpX4HAmlC7G8MG77aU0m9jrnUwepF1XR/1zp6hOYdB4jHMVMkM09ew0f1oWc8JZMl YtDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=lkI8zcispX8onta1CQx9K+kzdZAx2UddVU1mfNdUYM4=; b=SirtDFJgIUnAWVy2xbyCsRNkp+DZ/kPco+6fe7o8ZrZMzIcQ3sRmUXL7m2Nz6l83ji D9CTCeQzh5KDIY4YCl8EEzoYVKlhFUfnUJ0Q8d/Qh6PNFMWJauhSSXQE8fe222vfydM9 VDMUjzJqlePfHrNo/Bwg6/R2oY7yhBYc8HHE+xcGp37qMuB3117WX7BE8p5tHtMB5CZ3 B+I0BdHZ2ZDcoMqBxjMsqPcbDAUOY1JTmuRjz+QcGPYaXCbMmqqDTQ1z2CrWnDjMuwSd R9vTsuuUK4RiF+JnTYgSH5dP4vjEZhwrqdw42hdvpFnya80LFZWSzL1PdMW5SyG8fAyi 3lbQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r129si1388177pgr.21.2019.07.19.01.44.36; Fri, 19 Jul 2019 01:44:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727124AbfGSIm0 (ORCPT + 99 others); Fri, 19 Jul 2019 04:42:26 -0400 Received: from mother.openwall.net ([195.42.179.200]:54143 "HELO mother.openwall.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726036AbfGSIm0 (ORCPT ); Fri, 19 Jul 2019 04:42:26 -0400 Received: (qmail 23955 invoked from network); 19 Jul 2019 08:42:23 -0000 Received: from localhost (HELO pvt.openwall.com) (127.0.0.1) by localhost with SMTP; 19 Jul 2019 08:42:23 -0000 Received: by pvt.openwall.com (Postfix, from userid 503) id 6D080AB5B3; Fri, 19 Jul 2019 10:42:15 +0200 (CEST) Date: Fri, 19 Jul 2019 10:42:15 +0200 From: Solar Designer To: Kees Cook Cc: Sasha Levin , corbet@lwn.net, will@kernel.org, peterz@infradead.org, gregkh@linuxfoundation.org, tyhicks@canonical.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] Documentation/security-bugs: provide more information about linux-distros Message-ID: <20190719084215.GA24691@openwall.com> References: <20190717231103.13949-1-sashal@kernel.org> <201907181457.D61AC061C@keescook> <20190719003919.GC4240@sasha-vm> <201907181833.EF0D93C@keescook> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201907181833.EF0D93C@keescook> User-Agent: Mutt/1.4.2.3i Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote: > On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote: > > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote: > > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote: > > > > Provide more information about how to interact with the linux-distros > > > > mailing list for disclosing security bugs. > > > > > > > > Reference the linux-distros list policy and clarify that the reporter > > > > must read and understand those policies as they differ from > > > > security@kernel.org's policy. > > > > > > > > Suggested-by: Solar Designer > > > > Signed-off-by: Sasha Levin > > > > > > Sorry, but NACK, see below... I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then I suggest that we apply Sasha's first revision of the patch instead. I think either revision is an improvement on the status quo. > I think reinforcing information to avoid past mistakes is appropriate > here. Maybe, but from my perspective common past issues with Linux kernel bugs reported to linux-distros were: - The reporter having been directed to post from elsewhere (and I suspect this documentation file) without being aware of list policy. - The reporter not mentioning (and sometimes not replying even when asked) whether they're also coordinating with security@k.o or whether they want someone on linux-distros to help coordinate with security@k.o. (Maybe this is something we want to write about here.) - The Linux kernel bug having been introduced too recently to be of much interest to distros. > Reports have regularly missed the "[vs]" detail or suggested > embargoes that ended on Fridays, etc. This happens too. Regarding missing the "[vs]" detail, technically there are also a number of other conditions that also let the message through, but those are changing and are deliberately not advertised. > Sending to the distros@ list risks exposing Linux-only flaws to non-Linux > distros. Right. > This has caused leaks in the past Do you mean leaks to *BSD security teams or to the public? I'm not aware of past leaks to the public via the non-Linux distros present on the distros@ list. Are you? Alexander