Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp712875rdg; Thu, 12 Oct 2023 20:48:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHLAxSetwb0VPb+WDvtBeQM6OpWYucgSAuUSnZbOcIKmp6Qhb1audXqxO38jVJzoPJbZ76B X-Received: by 2002:a05:6808:1786:b0:3a6:f622:70f1 with SMTP id bg6-20020a056808178600b003a6f62270f1mr30246820oib.57.1697168889761; Thu, 12 Oct 2023 20:48:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697168889; cv=none; d=google.com; s=arc-20160816; b=rj9MyfmktrtaqDMKhVjevE9LtyEfk2U6XzdQuG/5aGG7usgQ2aCTQDKRq11MLxxdDa siLa7hOrT/Se3oGoG0wWfO7lolMulNDOFPJUIIvy3Fcc3/jGTSnV1sl3M186kG9b0PM5 v2lM/dECqhxYLNwIGftbw8TzoaOyxyeEkDG50bZo9HkUoYDdQTrvTKMKhE+FNQ9OzH85 zT2twGbHcChyC3x/FLMP2z5JlO1Q5P7b06t0n89xy1g2ia2b7tgM5vXzbgPTqOWM7jtM Y358gO7Iupjq5H66kBvHekyCVmMmzE2eMKuyOeyjV4aNpOOOqm1V86XcgN6GS6GjVp6p vGnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=TGIVKz0lVmFBQB2xU/FDmTMEcWdqIMDSpj6RBy+80FU=; fh=y56J9iComm98ocE8y4rRXTb/kQgcW9KMG/qxICQI+gU=; b=shQS/IZqn8FgnKbVh0S27SAofGoP0dfhRfBB4BDGyubV/rQmWCEK3PV9Vtv8mWF81D TvyHhRuPeIVlTGSzOdcw3UPH0UsTJnP3OphuUayWVYD7rK7i98T4VktrYaZJbxWBRHRj NpY3E2yn+VEB5bnWs/v2hvChp/cq5MbtcbzRKwVAdvOWiOyzJ5T+aLQU4HPdFZu5AXhm SQM2IZwtuKIhI6yoJyswAQV9Vlqy33a5YHrIzdJEBPS2B29cvxDbUFIrEk2lMYKNVuMh 1FfSwy6Ky6UfNtJIHkIPiGrr6gO/63c73d5U4PTl+schvDkBGznj64q4E2fDtrZxpury JVFg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id a11-20020a056a001d0b00b0068fe810e870si15672230pfx.100.2023.10.12.20.48.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 20:48:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 3A65182A8570; Thu, 12 Oct 2023 20:48:07 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229556AbjJMDrz (ORCPT + 99 others); Thu, 12 Oct 2023 23:47:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39344 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229437AbjJMDry (ORCPT ); Thu, 12 Oct 2023 23:47:54 -0400 Received: from 1wt.eu (ded1.1wt.eu [163.172.96.212]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B20E1B7; Thu, 12 Oct 2023 20:47:50 -0700 (PDT) Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 39D3lCCr016307; Fri, 13 Oct 2023 05:47:12 +0200 Date: Fri, 13 Oct 2023 05:47:12 +0200 From: Willy Tarreau To: Solar Designer Cc: Vegard Nossum , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, corbet@lwn.net, workflows@vger.kernel.org, Greg Kroah-Hartman , Kees Cook , Jiri Kosina Subject: Re: [RFC PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules Message-ID: <20231013034712.GC15920@1wt.eu> References: <20231007140454.25419-1-w@1wt.eu> <5ae47535-b6e0-8b48-4d59-a167e37c7fcc@oracle.com> <20231007163936.GA26837@1wt.eu> <20231012215122.GA8245@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231012215122.GA8245@openwall.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 12 Oct 2023 20:48:07 -0700 (PDT) On Thu, Oct 12, 2023 at 11:51:22PM +0200, Solar Designer wrote: > Hi all, > > Thank you (especially Willy) for your effort on this. > > Out of the 3 paragraphs, the first one looks good to me as-is, but for > the last two I propose the slightly edited versions below. > > On Sat, Oct 07, 2023 at 04:04:54PM +0200, Willy Tarreau wrote: > > +Please note that the respective policies and rules are different since > > +the 3 lists pursue different goals. Coordinating between the kernel > > +security team and other teams is difficult since occasional embargoes > > +start from the availability of a fix for the kernel security team, while > > +for other lists they generally start from the initial post to the list, > > +regardless of the availability of a fix. > > --- > Please note that the respective policies and rules are different since > the 3 lists pursue different goals. Coordinating between the kernel > security team and other teams is difficult since for the kernel security > team occasional embargoes (as subject to a maximum allowed number of > days) start from the availability of a fix, while for "linux-distros" > they start from the initial post to the list regardless of the > availability of a fix. > --- > > I added the part in braces to explain why the difference in when > embargoes start matters. I also moved part of that sentence for > consistency. Finally, I replaced "other lists" with specific reference > to "linux-distros" because this paragraph talks only about 3 specific > lists and on "oss-security" there are no embargoes. It's fine by me as it doesn't change the spirit but improves the wording. > On Sat, Oct 07, 2023 at 06:39:36PM +0200, Willy Tarreau wrote: > > On Sat, Oct 07, 2023 at 06:30:11PM +0200, Vegard Nossum wrote: > > > On 07/10/2023 16:04, Willy Tarreau wrote: > > > > +As such, the kernel security team strongly recommends that reporters of > > > > +potential security issues DO NOT contact the "linux-distros" mailing > > > > +list BEFORE a fix is accepted by the affected code's maintainers and you > > > > > > is s/BEFORE/UNTIL/ clearer? > > > > Probably, yes. > > I agree. Also, the sentence jumps from "reporters" to "you" implying > that "you" is a reporter, but maybe it's better to make that explicit. Ah, I hate doing this, I generally avoid "you" and "we" in docs but given these ones are instructions it's easy to fall in the trap. I'll try to improve it. > > > > +have read the linux-distros wiki page above and you fully understand the > > > > +requirements that doing so will impose on you and the kernel community. > > > > +This also means that in general it doesn't make sense to Cc: both lists > > > > +at once, except for coordination if a fix remains under embargo. And in > > > > +general, please do not Cc: the kernel security list about fixes that > > > > +have already been merged. > > This implies that in general a fix does not remain under embargo. This is most often the case. > However, contacting "linux-distros" only makes sense when a fix does > remain under embargo (either not yet pushed to a public list/repo, or > under the Linux kernel exception for a public not-too-revealing fix) - > otherwise, the issue should be brought to "oss-security" right away. > > Edited: > > --- > As such, the kernel security team strongly recommends that as a reporter > of a potential security issue you DO NOT contact the "linux-distros" > mailing list UNTIL a fix is accepted by the affected code's maintainers > and you have read the distros wiki page above and you fully understand > the requirements that contacting "linux-distros" will impose on you and > the kernel community. This also means that in general it doesn't make > sense to Cc: both lists at once, except maybe for coordination if and > while an accepted fix has not yet been merged. In other words, until a > fix is accepted do not Cc: "linux-distros", and after it's merged do not > Cc: the kernel security team. > --- > > This allows possible Cc'ing of both lists in the time window between > "fix is accepted by the affected code's maintainers" and "merged". > Makes sense? I worry this distinction between accepted and merged may > be overly complicated for some, but I don't have better wording. I think it's fine as is. I care a lot about giving clear instructions, especially for first-time reporters, for whom it's always particularly stressful to report a bug. With this update I think there's enough guidance and it should help, so OK for me. > > > I guess the problem with this would be if > > > somebody on s@k.o does a reply-all which would add distros right back in > > > the loop -OR- a patch has already been developed and included. > > > > Then this would be deliberate, there would an in-reply-to so that would > > not be a problem. I really doubt anyone from s@k.o would Cc linux-distros > > anyway since it would imply disclosing some details from a reporter, and > > we do not do that, it's up to the reporter to do it if they want. > > I think we don't want to complicate the setup, which we'd then have to > explain somewhere. With my concern/edit above, also the logic isn't > that simple. Agreed, let's leave it to the reporter to do what they want with the instructions above and be done with it. Jiri, does your Acked-by still stand with these adjustment ? If so, I'll resend the updated version today or this week-end, as time permits. Thanks! Willy