Received: by 2002:a05:7412:2a91:b0:fc:a2b0:25d7 with SMTP id u17csp384216rdh; Tue, 13 Feb 2024 22:43:45 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVVKqP49txbBJMpGvF9oCY12wOHQ35Z2edoEz7niOFUE0YehBFNjtX2Et7n3hqMzmrb/rFj20yOq6GZ9ytENLTOmkrcgONMGrCUOC29aQ== X-Google-Smtp-Source: AGHT+IHyTpYBHCOHhnrEotdBAgOPLB/qkLO5LDBTE08FOepz2TKYWmfJP9pBLARviGqw/H3rsJs+ X-Received: by 2002:a17:906:4898:b0:a3d:5b47:b0ec with SMTP id v24-20020a170906489800b00a3d5b47b0ecmr93156ejq.34.1707893025707; Tue, 13 Feb 2024 22:43:45 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707893025; cv=pass; d=google.com; s=arc-20160816; b=sqj4xNKw5ks1aBA6vsOPoiBKwHmNEdqo9jYLnQaENQhykyIwvg77S5MyZ0Y5KFoZLJ 7ArykMkLBWxKT9lHOqg+eQD9hVjpJuOV4y7krCdnjO/Dom0oULj/J1HmQlX0nAWHxmZg wl2beV+woFd1/xcmrQRUl/Y/QSj7rFSYg4f32b4yaNW7KU0Ve7w9TEA5T2Y1WFuNpghN jusP3XbmDlOskRbQPXSdu4Xyu7xjUwwvRLnebnB5DxToV7/N6sjzE0z1LDh4DVPqJN9K oRwxiP2mrRM0yWBv2TKozl9ACyRWZH9zp8atAIQGakMaso6Lc9FXzmpHXSzD6UIyN3+q T1rg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=yvUYYzNKLS0vFTYEk0U6EjLEzhSWaaFfTwhyg+ariDY=; fh=vILUQVe6MEyHUiozuJRp8GYV2d2dDgK1piu4dnhq714=; b=FaeUGAOJYMbSrH3v7dhPmahv/6T44GE4Piodi/tNF/iR4aGfIld5VPUd0zK3DtJS3O yiCo08W52qXS7JG0R65aLeR6KLT5rTH9eGbwTCS0YhrMP156uwhj9Bgw6jwHNL0PSCO8 2fJTJ3iZ0Cpb/YZ0TShwQ7d/SZdWjWcJ/5xHiMI8/Yo1MWamcd9jF0L5nMv2LKK9bkcO jnx22fp1vxKDcP+Jq9P5+n+X+8vdsF18q5j5+7c2f2DbSoruiJssMHLhqRNT3aOjvuZi opmQsvhMsO0/5lSA6AdtsSetswvq2EUbeq+UGXoV1Gnfz/JgP4j/0s2M9tdPzU6AxVx4 aATQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IDHHGp6S; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-64806-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-64806-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org X-Forwarded-Encrypted: i=2; AJvYcCWRseXNM0uhKbwwYXOkXgcRD+ryArSAaddj7YtFgciHlPPdstUNBZLXK27P0ywCy0uHsGDkjODnI1c1CFwByrT3/Fp4+ktIPxrIh8GaUg== Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id um11-20020a170906cf8b00b00a3d2dedf4c2si624762ejb.1025.2024.02.13.22.43.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Feb 2024 22:43:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-64806-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IDHHGp6S; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-64806-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-64806-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 74F961F22A53 for ; Wed, 14 Feb 2024 06:43:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9BE38111B9; Wed, 14 Feb 2024 06:43:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="IDHHGp6S" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89A4B1119B; Wed, 14 Feb 2024 06:43:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707893015; cv=none; b=oTKAu75z6AqvXWuWxVnuz+6wbgzYmulQf8BUy3rljwh+5utCz6JcTY4eFZto7yXhaT3OG2AOvaKytWIXkC42Wj63j/Bf/irjU10MFVnwuVWc+T43AHp5IQSN/vcfApsE2OblvFPEAlmxYgp5yLmWCqxUzqRfXXQJfjTBFnM7xt0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707893015; c=relaxed/simple; bh=l0OlVPwnAA/BNoPYrpxmb0JNzdB35f0E0pfIwlxJRVg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=euKSLWkcfiGBwVNXQJP39exbdRvZNkdP7CdBIeRhjAAj5KrnlcdJmYdegIqSf+H0jCdEQJAZd7OeaiS/KJbwznAaSx2q+frmUuM6XCN1xWs4PU7CdLTpdeUJBoDlFQIKw87hJiegd/TmNUKRZ8p+3M8GD2qCLQhAhUpPPsEgAD0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=IDHHGp6S; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 994B8C433C7; Wed, 14 Feb 2024 06:43:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1707893015; bh=l0OlVPwnAA/BNoPYrpxmb0JNzdB35f0E0pfIwlxJRVg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IDHHGp6SmQ6hKT0WvGQTgkoC9BFQAX3vZaQlniWuUg90li5YMGtejyqLlX2ZhnBQF eBkpAE1vdKpQ7qIWcYUP1nfvJvjRKMUPHGODR04CbNfzeOnCY2Ec/FIYIFNqIwrFiy 40RXus3X8i2k6t5nKCQ8ZE7xLCyzdryujSyPR9gM= Date: Wed, 14 Feb 2024 07:43:32 +0100 From: Greg Kroah-Hartman To: Kees Cook Cc: corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, Sasha Levin , Lee Jones Subject: Re: [PATCH] Documentation: Document the Linux Kernel CVE process Message-ID: <2024021445-emporium-tightwad-3c35@gregkh> References: <2024021314-unwelcome-shrill-690e@gregkh> <202402131429.A604440C6@keescook> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202402131429.A604440C6@keescook> On Tue, Feb 13, 2024 at 02:35:24PM -0800, Kees Cook wrote: > On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote: > > +No CVEs will be assigned for unfixed security issues in the Linux > > +kernel, assignment will only happen after a fix is available as it can > > +be properly tracked that way by the git commit id of the original fix. > > This seems at odds with the literal definition of what CVEs are: > _vulnerability_ enumeration. This is used especially during the > coordination of fixes; how is this meant to interact with embargoed > vulnerability fixing? Yes, this is totally wrong, it was the original first draft of the document, that I did on my workstation, and then went on the road for 3+ weeks and I never sycned up when I got home with the updated version that is on my laptop. The updated version addresses this, as it was rightly pointed out by the CVE group that this is not how a CNA is supposed to only work. Yet another reason why keeping changes private is a major pain, not only for security ones! :( Let me send out the proper one after my morning coffee has kicked in and I resolve the differences, and make the grammer fixes that Randy pointed out... > Outside of that, I welcome the fire-hose of coming identifiers! I think > this will more accurately represent the number of fixes landing in > stable trees and how important it is for end users to stay current on > a stable kernel. Agreed. > Reviewed-by: Kees Cook Many thanks for the review! greg k-h