Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp25606561rwd;
        Sun, 2 Jul 2023 21:20:33 -0700 (PDT)
X-Google-Smtp-Source: APBJJlHtycEa3TEfTw1y/vX/Kw1YMQGATmu45wmeRFje+r4+LWj5IWHGTfdRMak6KnDV7RF4ANeC
X-Received: by 2002:a17:90a:f0c9:b0:25b:c454:a366 with SMTP id fa9-20020a17090af0c900b0025bc454a366mr10348683pjb.5.1688358033244;
        Sun, 02 Jul 2023 21:20:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688358033; cv=none;
        d=google.com; s=arc-20160816;
        b=ozAdOK6n/j1XHYI3t/gmRRA55TCzD357rse14qqvQhfLpWVhdW4qFkcU0DFk65LFuK
         6ClQg/5xllyg7g6D+181qNiXi9E/e530cuQzgR7djwSCdDJbWNsbQLxRfWxi+9WMxFLG
         RHiZg9vkbpBj7HDciyG3gA3dAEGvhKEndaABTsAZyR3n/p+VhpyMLJqewovILFcy0nCB
         3eNOnpXCc30KzwDHidFVrNmIlYKrRjCXaFRQwuZvmee6f8QaqdNAuPxiyeft4Rg7KJku
         AIown2IPVnTtK2yQp3mbQ/QIJLtIfi2pQulye2864vZyhpkw542EW8spENhzNoBNj8sU
         FTnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=B3mtt6xatFmcMs7ybCDSYta51zdQoy9VQMK2p5PUcjs=;
        fh=Ktb5NnF5s5efQwyTnnJtRPFPde+2aBSIdgYifQic2T4=;
        b=wEZ1SSYDaRB7V9dhOpPPNPPx1NXtPjHN0CKU7Het/kG1onqrjoiYjy6Qprx2qtLTYl
         Z8iC/AVUUH24eMAmLbGRTO9I+DlcWXBWv1M7dWA5I2TiWmjYQIFaz2KZVbAsmdWeXZZp
         Ponavw0yRmDBsoa5/RseGWi7doJYfo4GBLnyQB0pOX1e8Er/Mz8drvPEyLs4ESYa3i+9
         INKeuCcMvqa7AOYDAF6WRPaDM2zPw+TflvD6Wr9n2sLrWj8HgCZMe6xgKRR0r1g0wHmf
         TlfVwzQAzD331RLNGYlftXjTifKS58qI4/sr4/GerL1sTFb51pYx1GUNVOBJXTwe6hZ/
         9RpA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id ob13-20020a17090b390d00b0026395ce41e2si5552325pjb.37.2023.07.02.21.20.18;
        Sun, 02 Jul 2023 21:20:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229928AbjGCEIU (ORCPT <rfc822;alexander.kapshuk@gmail.com>
        + 99 others); Mon, 3 Jul 2023 00:08:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40862 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229564AbjGCEIS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 Jul 2023 00:08:18 -0400
Received: from 1wt.eu (ded1.1wt.eu [163.172.96.212])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id E4C71180;
        Sun,  2 Jul 2023 21:08:15 -0700 (PDT)
Received: (from willy@localhost)
        by mail.home.local (8.17.1/8.17.1/Submit) id 363480Or021269;
        Mon, 3 Jul 2023 06:08:00 +0200
Date:   Mon, 3 Jul 2023 06:08:00 +0200
From:   Willy Tarreau <w@1wt.eu>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     Kees Cook <keescook@chromium.org>, linux-doc@vger.kernel.org,
        linux-kernel@vger.kernel.org, security@kernel.org, corbet@lwn.net,
        workflows@vger.kernel.org
Subject: Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE
 handling
Message-ID: <ZKJJoK4kyOCEYcOR@1wt.eu>
References: <2023063020-throat-pantyhose-f110@gregkh>
 <2023063022-retouch-kerosene-7e4a@gregkh>
 <202306301114.E199B136@keescook>
 <2023070213-capacity-moneybags-3668@gregkh>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2023070213-capacity-moneybags-3668@gregkh>
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Jul 02, 2023 at 02:39:49PM +0200, Greg Kroah-Hartman wrote:
> On Fri, Jun 30, 2023 at 11:18:37AM -0700, Kees Cook wrote:
> > On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote:
> > > The kernel security team does NOT assign CVEs, so document that properly
> > > and provide the "if you want one, ask MITRE for it" response that we
> > > give on a weekly basis in the document, so we don't have to constantly
> > > say it to everyone who asks.
> > > 
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > ---
> > >  Documentation/process/security-bugs.rst | 11 ++++-------
> > >  1 file changed, 4 insertions(+), 7 deletions(-)
> > > 
> > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> > > index f12ac2316ce7..8b80e1eb7d79 100644
> > > --- a/Documentation/process/security-bugs.rst
> > > +++ b/Documentation/process/security-bugs.rst
> > > @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems.
> > >  CVE assignment
> > >  --------------
> > >  
> > > -The security team does not normally assign CVEs, nor do we require them
> > > -for reports or fixes, as this can needlessly complicate the process and
> > > -may delay the bug handling. If a reporter wishes to have a CVE identifier
> > > -assigned ahead of public disclosure, they will need to contact the private
> > > -linux-distros list, described above. When such a CVE identifier is known
> > > -before a patch is provided, it is desirable to mention it in the commit
> > > -message if the reporter agrees.
> > > +The security team does not assign CVEs, nor do we require them for
> > > +reports or fixes, as this can needlessly complicate the process and may
> > > +delay the bug handling.  If a reporter wishes to have a CVE identifier
> > > +assigned, they should contact MITRE directly.
> > 
> > Hmm. The language about "assigned ahead of public disclosure" was added
> > intentionally due to trouble we'd had with coordination when a CVE was
> > needed, etc. Additionally, it IS preferred to have a CVE in a patch when
> > it IS known ahead of time, so I think that should be kept. How about
> > this:
> > 
> > 
> > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> > index 82e29837d589..2f4060d49b31 100644
> > --- a/Documentation/process/security-bugs.rst
> > +++ b/Documentation/process/security-bugs.rst
> > @@ -81,13 +81,12 @@ the email Subject line with "[vs]" as described in the linux-distros wiki:
> >  CVE assignment
> >  --------------
> >  
> > -The security team does not normally assign CVEs, nor do we require them
> > -for reports or fixes, as this can needlessly complicate the process and
> > -may delay the bug handling. If a reporter wishes to have a CVE identifier
> > -assigned ahead of public disclosure, they will need to contact the private
> > -linux-distros list, described above. When such a CVE identifier is known
> > -before a patch is provided, it is desirable to mention it in the commit
> > -message if the reporter agrees.
> > +The security team does not assign CVEs, nor do we require them for reports
> > +or fixes, as this can needlessly complicate the process and may delay
> > +the bug handling. If a reporter wishes to have a CVE identifier assigned
> > +ahead of public disclosure, they will need to contact MITRE directly.
> > +When such a CVE identifier is known before a patch is provided, it is
> > +desirable to mention it in the commit message if the reporter agrees.
> 
> I can not, in good faith, with the current mess that MITRE is going
> through, tell anyone that they should contact MITRE ahead of public
> disclosure, sorry.
> 
> All I can say is "if you really want one, go ask them for one", as
> everyone keeps asking us for one to pad their resume/CV.
> 
> Also note that many non-US-based companies are not allowed to contact a
> US-government-backed entity for potential security issues for obvious
> reasons.
> 
> So I don't want to even give a hint that we support or request this at
> all, or that it is something that changelog texts should contain for
> security issues (for the obvious reason of them being a "hint" one way
> or another.)
> 
> External groups may wish to play the CVE "game" as it facilitates their
> engineering procedures to get changes past managers, but that's not
> anything that we should be encouraging at all for all of the various
> geopolitical and corporate reasons involved in that mess.

I generally agree with your points above, and these can be easily
summarized by indicating that the patch will not wait for this, and
suggesting that MITRE is not the only possible source:

  The security team does not assign CVEs, nor do we require them for
  reports or fixes, as this can needlessly complicate the process and may
  delay the bug handling.  If a reporter wishes to have a CVE identifier
  assigned, they should find one by themselves, for example by contacting
  MITRE directly.  However under no circumstances will a patch inclusion
  be delayed to wait for a CVE identifier to arrive.

This puts the responsibility for finding one in time on the reporter
depending on what they expect, and if they want it in the commit
message, they'd rather have one before reporting the problem.

Willy