Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp1981380rdg;
        Sun, 15 Oct 2023 06:11:29 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHW3D3HAoN3Y+RrBoejY7qPNfMd+FKessix1z+GOLQpp1zkHvrst5huqLZbeYIs0ncSHuwV
X-Received: by 2002:a05:6a20:72a0:b0:13f:1622:29de with SMTP id o32-20020a056a2072a000b0013f162229demr28581417pzk.7.1697375489535;
        Sun, 15 Oct 2023 06:11:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697375489; cv=none;
        d=google.com; s=arc-20160816;
        b=A4DzCveLTkdK0AICSQm5F4pRvFOMiA0vdute1nTGN8t/ZkO8DkechXtxF1KQ2IMPrw
         jMdX7iw0XyvjMw9mhnE8DV1BmWTZaHxOPJlrj7Y5LMaQl6rYjmxZ5M621p1rturUZTjc
         JtuqQZAwnJLK7qZ4fK1QgDG5NqHuJ0BcBQxt/9ttg6gXdr0Zurko5ny5TqOYfzzCsFnO
         1QqdBbGKHAGoGnvPoRT6ISOxhEfz5HtMArqG4FG60jgFQnFqTyk8IubiRB7Yd5ChuMM/
         77Sr3IKcSD8FFLEW9Ug4iZhS+I+Awm3CYoehP6roceQwdbkMCNYR5Cynp4H0qh8ABlE9
         3ypw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=Wvkvwp0tr2Ok57D8LXUdAOsrQ4zy1GLy7dzqFk232VY=;
        fh=v3/TAdQMOl0FFINO2KB8c9qOIGeKmEuW2EJxDaHtgSo=;
        b=e9+U7q3qxTd2aemUHRIZX3nqkbHf6ycTwITTUMUSvSa4LmfRfb/vyfPsyuN7w0RFjy
         MRwiEPzpej9S3f0kDdtixTeb7U1vR/e8dv5oBifxfyUc9rmYRs/AldT0Hkt2aYNAd77m
         hcUT6aIRE0xmUr6qA2Y1gbmtUrM756ro/q6ZQU5zBWt9fsp899sUuZHp43MyBiVqyVj1
         iZjzewHrJB0fglsio2bEh7V87Tf2xXQcxGR7ao8PmjbilNW2KXCm/c+2rULfZlBVjSCG
         HTNi35+x7CumuW5u/tGh7Ry5dsVaFyQQJLbM4+5Coy2hvB3nVoZ81zyBIr/bXXycHZsG
         MKFw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id kb14-20020a170903338e00b001c9c9e6371fsi8160975plb.527.2023.10.15.06.11.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 15 Oct 2023 06:11:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id F0E7580C283C;
	Sun, 15 Oct 2023 06:11:26 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229905AbjJONLA (ORCPT <rfc822;0x7f454c46@gmail.com> + 99 others);
        Sun, 15 Oct 2023 09:11:00 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36418 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229603AbjJONK7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 15 Oct 2023 09:10:59 -0400
Received: from 1wt.eu (ded1.1wt.eu [163.172.96.212])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id BB119A2;
        Sun, 15 Oct 2023 06:10:56 -0700 (PDT)
Received: (from willy@localhost)
        by pcw.home.local (8.15.2/8.15.2/Submit) id 39FDAB6v026284;
        Sun, 15 Oct 2023 15:10:11 +0200
From:   Willy Tarreau <w@1wt.eu>
To:     linux-doc@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>,
        security@kernel.org, corbet@lwn.net, workflows@vger.kernel.org,
        Willy Tarreau <w@1wt.eu>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>,
        Solar Designer <solar@openwall.com>,
        Vegard Nossum <vegard.nossum@oracle.com>
Subject: [PATCH] Documentation: security-bugs.rst: linux-distros relaxed their rules
Date:   Sun, 15 Oct 2023 15:09:59 +0200
Message-Id: <20231015130959.26242-1-w@1wt.eu>
X-Mailer: git-send-email 2.17.5
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Sun, 15 Oct 2023 06:11:27 -0700 (PDT)

The linux-distros list relaxed their rules to try to adapt better to
how the Linux kernel works. Let's update the Coordination part to
explain why and when to contact them or not to and how to avoid trouble
in the future.

Link: https://www.openwall.com/lists/oss-security/2023/09/08/4
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Solar Designer <solar@openwall.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

This is the final version for merging. Changes since RFC:
  - s/BEFORE/UNTIL from Vegard
  - improved wording from Alexander
  - acked-by from Jiri

Thanks!
Willy

---
 Documentation/process/security-bugs.rst | 35 ++++++++++++++++++-------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 5a6993795bd2..692a3ba56cca 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -66,15 +66,32 @@ lifted, in perpetuity.
 Coordination with other groups
 ------------------------------
 
-The kernel security team strongly recommends that reporters of potential
-security issues NEVER contact the "linux-distros" mailing list until
-AFTER discussing it with the kernel security team.  Do not Cc: both
-lists at once.  You may contact the linux-distros mailing list after a
-fix has been agreed on and you fully understand the requirements that
-doing so will impose on you and the kernel community.
-
-The different lists have different goals and the linux-distros rules do
-not contribute to actually fixing any potential security problems.
+While the kernel security team solely focuses on getting bugs fixed,
+other groups focus on fixing issues in distros and coordinating
+disclosure between operating system vendors.  Coordination is usually
+handled by the "linux-distros" mailing list and disclosure by the
+public "oss-security" mailing list, both of which are closely related
+and presented in the linux-distros wiki:
+<https://oss-security.openwall.org/wiki/mailing-lists/distros>
+
+Please note that the respective policies and rules are different since
+the 3 lists pursue different goals.  Coordinating between the kernel
+security team and other teams is difficult since for the kernel security
+team occasional embargoes (as subject to a maximum allowed number of
+days) start from the availability of a fix, while for "linux-distros"
+they start from the initial post to the list regardless of the
+availability of a fix.
+
+As such, the kernel security team strongly recommends that as a reporter
+of a potential security issue you DO NOT contact the "linux-distros"
+mailing list UNTIL a fix is accepted by the affected code's maintainers
+and you have read the distros wiki page above and you fully understand
+the requirements that contacting "linux-distros" will impose on you and
+the kernel community.  This also means that in general it doesn't make
+sense to Cc: both lists at once, except maybe for coordination if and
+while an accepted fix has not yet been merged.  In other words, until a
+fix is accepted do not Cc: "linux-distros", and after it's merged do not
+Cc: the kernel security team.
 
 CVE assignment
 --------------
-- 
2.17.5