Received: by 2002:a05:7412:da14:b0:e2:908c:2ebd with SMTP id fe20csp984853rdb;
        Sat, 7 Oct 2023 07:07:03 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IG70stLL5XYmOjxTyoLPesPbPUFQxQiH9sha+ByeA2wjyIO8OmQnjwWwPSNsm+hzRbko93W
X-Received: by 2002:a17:90b:1917:b0:274:9ace:e9eb with SMTP id mp23-20020a17090b191700b002749acee9ebmr9659317pjb.3.1696687622659;
        Sat, 07 Oct 2023 07:07:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696687622; cv=none;
        d=google.com; s=arc-20160816;
        b=fUuobbKrpAMbshPMVlFEkvBgREd1fXTk0vFmvvDxG5Vvt/cvuStfIjgHcxQSqN1892
         MB6B9kJ6ym4LFyiu/eCJ0U/vtJ7F0QH/ZqJQz872028mY6qw8m2Cp4JE+0NwrKTdLbIZ
         17fA9K7AdTA/opdmcvdbCj6k/CVQH2bT8gDbadAUeL1ZDAqL5jexFuoRwis6+lBEDGxp
         vrZPLe3b0HS75Z7xVoQ2u89HV5LEIKDX0Mas0wB50C74NpZ4Oz/IUKy3q9wzOsBUXDQK
         Ac5YSvhAjW/vLPnh/A0aVW7kPuzOpIy3nlfdkut66CM3NWWjOfsVCoqUMwC31ipQc5o2
         8gpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=VlxZklraN2HOw4KzdoIlgOMvu9wH598TXHu8LYAxLYQ=;
        fh=yo+7wAFDKVpZc6+uPj8gsATpFFnn8VU2JxZ8TBDwsYk=;
        b=ykAN2NUmbfX8KHGr9h+3Uug2I7U8fVzDK+VWXain90yzEkmtwUZw6SVJ81zQp9uZrc
         /imZ7LG+XFUvl3M0kgxRR8pf9MmfbqoICQNIrv0KWH5ucdt6wZmhJLqRhwCJmEHY3wez
         N1C8OTg3puX7xsEjUp9f+byBuDqggyb1TEQiVfnwtTaddrm1R2Ha+bz8Voq7GGL0Kq57
         arBHTp0jOA73NkjaH1dUG6CtRn+IwIWFAYzdkfXMp6iQEaYKJOuI7QX/GmGDCjCZjkLf
         Q1Ip9recn5dgwUld9ijZJL8Aj4tCos4/dX+ITogQy0kaf/SmZg04rmFBMY3E5euK51s2
         CvmA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4])
        by mx.google.com with ESMTPS id np1-20020a17090b4c4100b002740f8fa612si6382377pjb.21.2023.10.07.07.07.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Oct 2023 07:07:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id D8E53807DE25;
	Sat,  7 Oct 2023 07:06:13 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1343893AbjJGOF7 (ORCPT <rfc822;smith.dustin2017@gmail.com>
        + 99 others); Sat, 7 Oct 2023 10:05:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48318 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1343933AbjJGOF6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 7 Oct 2023 10:05:58 -0400
Received: from 1wt.eu (ded1.1wt.eu [163.172.96.212])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id DAE25BC;
        Sat,  7 Oct 2023 07:05:56 -0700 (PDT)
Received: (from willy@localhost)
        by pcw.home.local (8.15.2/8.15.2/Submit) id 397E5OlR025463;
        Sat, 7 Oct 2023 16:05:24 +0200
From:   Willy Tarreau <w@1wt.eu>
To:     linux-doc@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, security@kernel.org, corbet@lwn.net,
        workflows@vger.kernel.org, Willy Tarreau <w@1wt.eu>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>,
        Solar Designer <solar@openwall.com>,
        Vegard Nossum <vegard.nossum@oracle.com>
Subject: [RFC PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules
Date:   Sat,  7 Oct 2023 16:04:54 +0200
Message-Id: <20231007140454.25419-1-w@1wt.eu>
X-Mailer: git-send-email 2.17.5
X-Spam-Status: No, score=2.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Sat, 07 Oct 2023 07:06:14 -0700 (PDT)
X-Spam-Level: **

The linux-distros list relaxed their rules to try to adapt better to
how the Linux kernel works. Let's update the Coordination part to
explain why and when to contact them or not to and how to avoid trouble
in the future.

Link: https://www.openwall.com/lists/oss-security/2023/09/08/4
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Solar Designer <solar@openwall.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 Documentation/process/security-bugs.rst | 33 ++++++++++++++++++-------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 5a6993795bd2..8bbad669af1f 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -66,15 +66,30 @@ lifted, in perpetuity.
 Coordination with other groups
 ------------------------------
 
-The kernel security team strongly recommends that reporters of potential
-security issues NEVER contact the "linux-distros" mailing list until
-AFTER discussing it with the kernel security team.  Do not Cc: both
-lists at once.  You may contact the linux-distros mailing list after a
-fix has been agreed on and you fully understand the requirements that
-doing so will impose on you and the kernel community.
-
-The different lists have different goals and the linux-distros rules do
-not contribute to actually fixing any potential security problems.
+While the kernel security team solely focuses on getting bugs fixed,
+other groups focus on fixing issues in distros and coordinating
+disclosure between operating system vendors.  Coordination is usually
+handled by the "linux-distros" mailing list and disclosure by the
+public "oss-security" mailing list, both of which are closely related
+and presented in the linux-distros wiki:
+<https://oss-security.openwall.org/wiki/mailing-lists/distros>
+
+Please note that the respective policies and rules are different since
+the 3 lists pursue different goals.  Coordinating between the kernel
+security team and other teams is difficult since occasional embargoes
+start from the availability of a fix for the kernel security team, while
+for other lists they generally start from the initial post to the list,
+regardless of the availability of a fix.
+
+As such, the kernel security team strongly recommends that reporters of
+potential security issues DO NOT contact the "linux-distros" mailing
+list BEFORE a fix is accepted by the affected code's maintainers and you
+have read the linux-distros wiki page above and you fully understand the
+requirements that doing so will impose on you and the kernel community.
+This also means that in general it doesn't make sense to Cc: both lists
+at once, except for coordination if a fix remains under embargo. And in
+general, please do not Cc: the kernel security list about fixes that
+have already been merged.
 
 CVE assignment
 --------------
-- 
2.17.5