Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp26682155rwd;
        Mon, 3 Jul 2023 13:17:46 -0700 (PDT)
X-Google-Smtp-Source: APBJJlGccpzFnrOdSbrq4C6GXIBNE+4KT7Kd1kpRHGrO2Ad0M9nEcqsVOCoMO5fDhugqaVBmEoOE
X-Received: by 2002:a17:903:2441:b0:1b8:870c:4ce8 with SMTP id l1-20020a170903244100b001b8870c4ce8mr10837183pls.18.1688415466312;
        Mon, 03 Jul 2023 13:17:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688415466; cv=none;
        d=google.com; s=arc-20160816;
        b=SZH3nnplynzLQqd6I1M1rIguOJ9L7ub2sYyHl3WNDk5smNAi0pTeUWwezxM2RdZBMr
         QCh2EPJXYbMjNjmeiuBdM9FCrvroslCga2zMFsFFgqZAWoNMoi8apDZ+1VbWxBvWTbSm
         tZ1BAYJ4MA08Z/WmGi+WOgid7uv2+KPoeZ1+uq7LiydAn4DMg7Vtk3ICBMIZRAMmiahh
         hO1GcT/qwnIieaPp0YRtL46FE/KgXSeqZy4cePt/6pap9T44p8FPT43BpioOgcyguUxw
         YMPMlZZaxz83pMn2pvd8/2DLUIZRDnUre+purvDYI3zlHCgl8E1BsoLN7v7EGY2PZ6wO
         7G1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=lXdX8eJgtosgBLv2NaUnvgwg/Pj2nV/YkfcmmwRBOCw=;
        fh=LKaAzDhnYM2ladN2aAZywtrXXYjUclMRIYhojbsK40g=;
        b=hlUdFyJiFGV43vDRepRLpWgfogIjYht/zVuccHglb5iChd54Xfk4ZEg+mv4r02QVzg
         0I92K9jjBTTk6pS59LEGmo5z9qpxpVcNN3P+h4CyAKHpUY5bwxzSQNnhhcW25rJ5rSI3
         4jglJbmRVSkOGcbpi9DvAyuk2j5JfanmmMH1rWmi2KdQ7kkBsDoDRe4zS++fMihCO/Nt
         9xt1ZcnLRaLdU+JhXC14V0VXAmj7XxJsvsBEJR9PcvZrOQ66TL0wVGzklt7woJABCYiG
         22BZWSRI/Dfld+R/C83WFlIdxnZ0GzL+vQx/M6+s93kyqTOK9Uo6rnFZmH1p082kzvyj
         9QYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bsnGCgJQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id s7-20020a170902a50700b001b54bdd6412si17923842plq.396.2023.07.03.13.17.33;
        Mon, 03 Jul 2023 13:17:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bsnGCgJQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231299AbjGCTHZ (ORCPT <rfc822;alekseygorbachev2323@gmail.com>
        + 99 others); Mon, 3 Jul 2023 15:07:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44022 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229897AbjGCTHX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 Jul 2023 15:07:23 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20B7BAF;
        Mon,  3 Jul 2023 12:07:22 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 9A04560F1D;
        Mon,  3 Jul 2023 19:07:21 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8880EC433C8;
        Mon,  3 Jul 2023 19:07:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1688411241;
        bh=Kd7EHdh7ZgDRJ7WngoJ1HViLWXS7NRXYd7wLjSFpoDY=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=bsnGCgJQMYIKo8o81WtnAGPizAR+Ssu3mbkrGltLSAPGEpIkz+btrmQqziqsRCkYb
         RtUisuqx2+n4H0kjyKxRdsXpYk48DT9vHRoT+YVmWL+aanf7R52W8ORcW2yvVzzbMg
         52hNo6VBqIwtF250kVDjy7L+4H1DU7Tz37gcXLCg=
Date:   Mon, 3 Jul 2023 21:05:15 +0200
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     Kees Cook <keescook@chromium.org>
Cc:     Willy Tarreau <w@1wt.eu>, linux-doc@vger.kernel.org,
        linux-kernel@vger.kernel.org, security@kernel.org, corbet@lwn.net,
        workflows@vger.kernel.org
Subject: Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE
 handling
Message-ID: <2023070329-mangy-dipping-2ebd@gregkh>
References: <2023063020-throat-pantyhose-f110@gregkh>
 <2023063022-retouch-kerosene-7e4a@gregkh>
 <202306301114.E199B136@keescook>
 <2023070213-capacity-moneybags-3668@gregkh>
 <ZKJJoK4kyOCEYcOR@1wt.eu>
 <2023070335-groggily-catfish-9ad5@gregkh>
 <202307031131.51907BC65@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202307031131.51907BC65@keescook>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jul 03, 2023 at 11:35:37AM -0700, Kees Cook wrote:
> On Mon, Jul 03, 2023 at 05:00:15PM +0200, Greg Kroah-Hartman wrote:
> > On Mon, Jul 03, 2023 at 06:08:00AM +0200, Willy Tarreau wrote:
> > >   The security team does not assign CVEs, nor do we require them for
> > >   reports or fixes, as this can needlessly complicate the process and may
> > >   delay the bug handling.  If a reporter wishes to have a CVE identifier
> > >   assigned, they should find one by themselves, for example by contacting
> > >   MITRE directly.  However under no circumstances will a patch inclusion
> > >   be delayed to wait for a CVE identifier to arrive.
> > > 
> > > This puts the responsibility for finding one in time on the reporter
> > > depending on what they expect, and if they want it in the commit
> > > message, they'd rather have one before reporting the problem.
> > 
> > Oh, nice wording, let me steal that!  :)
> 
> Yeah, this is good. The last sentence is a little hard to parse, so how
> about this, with a little more rationale expansion:
> 
> However under no circumstances will patch publication be delayed for
> CVE identifier assignment. Getting fixes landed takes precedence; the
> CVE database entry will already reference the commit, so there is no loss
> of information if the CVE is assigned later.

"simple is better" should be the key here, reading a wall of text is
hard for people, so let me just keep the one new sentance that Willy
proposed and if people still struggle with the whole CVEs and
security@k.o mess in the future, we can revise it again.

Also, there is not really a "CVE database", I think that's what NVD from
NIST does and CNNVD from China does, and "Something to be named in the
future soon" will do for the EU.  There is a "CVE List" at cve.org, but
that thing is always out of date, and for all of this I don't want to
have to try to explain it in our document as that's nothing we want to
mess with :)

thanks,

greg k-h