Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp311881rdb; Thu, 15 Feb 2024 00:18:49 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUZvG9u2Hb472q62aF5h2qirWRQJvvNFvdcC8/X4rjwqqKOnQ/B1goc5b6wqV+K7YY2ReVNMF37V93qBMkUoMiK32l+VkhO11YysFWbYg== X-Google-Smtp-Source: AGHT+IFWrd6QM8GE2ogQpmMwPgw1Shx9XBB35DLDJIymT0zSQrFCLAxy3qayAe3ogbCH4V2RcTuq X-Received: by 2002:aa7:d58e:0:b0:562:175a:a465 with SMTP id r14-20020aa7d58e000000b00562175aa465mr705859edq.38.1707985129353; Thu, 15 Feb 2024 00:18:49 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707985129; cv=pass; d=google.com; s=arc-20160816; b=wapLBMuov9rNXzmhiwlnfxA6oLSXGOE0AwDj8WnFop4wVCJdSnc2hjkvIcJHJ9a711 vfWxXyrr3BeLcxzOyfLIoGcM594/iZ2ma05QtkmSwEpRLwbfmowisVuuBX+hie0ab1cd rk2l3DbPAjDpLCX/nhK11LVFL7wTkF+9kwqU4TDXSzr0f+5SsbxAv9HS3AwKw+FDJpMs 6qJJECbwU2rew/DUm7NCoEytvCaorDGrjE+ttcl2d0ZFn2KItuGIM/YvWMy3pFFVEPJx 7XslVxYWiR1uZXrYn0qSVn//bsEVtGCcu4D4PHyoBewX4GYpWqexJlEdtXcpCTp6pXqP 7KQQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:cc :to:content-language:subject:user-agent:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:date:message-id; bh=zwVigB48KOWGOc7vHSMmn+YS6VbENVegBm6C3P8zaDQ=; fh=coRcqdaIt65vVJA+3WONgDNw3FiWCw8Hqoo14lBpRGE=; b=x08Qj/k0PZikQQvNaQcWzahDOErijaK0mUqRA+uL4jYXurRmq/3zAXcfS4Llmb/ZEm q776TVpmnLLYWk6/kxcjbGX3kA2DWAHCOuMVGBj25TYDXK4lEMQnJ9KmgoB1xZFakqZY Mn4wfps9FSaMqaRSAAsW9jWZrhWyvEMSgRPAKxBrlk4/PUr22ntNYl2x4Y0SrER4mqYr 2y5DZtIDsg+vfTPLiqp9VbZ11Um3vQFXuBJ0B7frW0/jb10kcA4Ao3o0HtXYicGVACYy kkKu5bRyjW3dkKmyQ6OmE4LPwClgWmlkDHccgtLZROoShRsSTXJRz3U3g9Dz43Ln7hjQ 3xyg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=leemhuis.info); spf=pass (google.com: domain of linux-kernel+bounces-66401-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66401-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id w18-20020aa7cb52000000b00562120695c9si436219edt.343.2024.02.15.00.18.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 00:18:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-66401-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=leemhuis.info); spf=pass (google.com: domain of linux-kernel+bounces-66401-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66401-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1DE461F23E6A for ; Thu, 15 Feb 2024 08:18:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 83794134A9; Thu, 15 Feb 2024 08:18:08 +0000 (UTC) Received: from wp530.webpack.hosteurope.de (wp530.webpack.hosteurope.de [80.237.130.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D530C111BD; Thu, 15 Feb 2024 08:18:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=80.237.130.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707985088; cv=none; b=dme8rhbVRHdEScgpDEpA73N+ydzdCh9FycrnnpDt7Rv1kBOf4mUpZJGJRxEvu0jBPe1MBf4YIoUfKH9/jV1681ayIl0TnDeYPIKwQLprW4F1QjzqWIoj5f2DULdVmjdulAhbeezeusgYLHVJ/SVUKXGeRE+nrZeIvRJjEvUhTbw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707985088; c=relaxed/simple; bh=GjvxOvr7YHWbvDJgSZqVDoq5LPxPbh4MFABALTZefzc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=f+8KgAUWq3LuVL9CxZDAIZSIjnjMqRghfOQpS88TiGuL/rvUAxq+lKx76sEi5ys+Lf1msjgFq+w8ygPSzmtByiv06USGU56D0TfgWLI5wjREgFKemRCXLZnRCN7dPNetkekOzaqngx8Mz03nDBSMUzHbpRdtwkzE5Qg5jV+6Brw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=leemhuis.info; spf=pass smtp.mailfrom=leemhuis.info; arc=none smtp.client-ip=80.237.130.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=leemhuis.info Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=leemhuis.info Received: from [2a02:8108:8980:2478:8cde:aa2c:f324:937e]; authenticated by wp530.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1raWwR-000393-WB; Thu, 15 Feb 2024 09:18:00 +0100 Message-ID: <11248961-9180-4330-8537-1cd0037edb85@leemhuis.info> Date: Thu, 15 Feb 2024 09:17:59 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process Content-Language: en-US, de-DE To: Greg Kroah-Hartman , corbet@lwn.net, workflows@vger.kernel.org Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, Kees Cook , Sasha Levin , Lee Jones References: <2024021430-blanching-spotter-c7c8@gregkh> From: Thorsten Leemhuis Autocrypt: addr=linux@leemhuis.info; keydata= xsFNBFJ4AQ0BEADCz16x4kl/YGBegAsYXJMjFRi3QOr2YMmcNuu1fdsi3XnM+xMRaukWby47 JcsZYLDKRHTQ/Lalw9L1HI3NRwK+9ayjg31wFdekgsuPbu4x5RGDIfyNpd378Upa8SUmvHik apCnzsxPTEE4Z2KUxBIwTvg+snEjgZ03EIQEi5cKmnlaUynNqv3xaGstx5jMCEnR2X54rH8j QPvo2l5/79Po58f6DhxV2RrOrOjQIQcPZ6kUqwLi6EQOi92NS9Uy6jbZcrMqPIRqJZ/tTKIR OLWsEjNrc3PMcve+NmORiEgLFclN8kHbPl1tLo4M5jN9xmsa0OZv3M0katqW8kC1hzR7mhz+ Rv4MgnbkPDDO086HjQBlS6Zzo49fQB2JErs5nZ0mwkqlETu6emhxneAMcc67+ZtTeUj54K2y Iu8kk6ghaUAfgMqkdIzeSfhO8eURMhvwzSpsqhUs7pIj4u0TPN8OFAvxE/3adoUwMaB+/plk sNe9RsHHPV+7LGADZ6OzOWWftk34QLTVTcz02bGyxLNIkhY+vIJpZWX9UrfGdHSiyYThHCIy /dLz95b9EG+1tbCIyNynr9TjIOmtLOk7ssB3kL3XQGgmdQ+rJ3zckJUQapLKP2YfBi+8P1iP rKkYtbWk0u/FmCbxcBA31KqXQZoR4cd1PJ1PDCe7/DxeoYMVuwARAQABzSdUaG9yc3RlbiBM ZWVtaHVpcyA8bGludXhAbGVlbWh1aXMuaW5mbz7CwZQEEwEKAD4CGwMFCwkIBwMFFQoJCAsF FgIDAQACHgECF4AWIQSoq8a+lZZX4oPULXVytubvTFg9LQUCX31PIwUJFmtPkwAKCRBytubv TFg9LWsyD/4t3g4i2YVp8RoKAcOut0AZ7/uLSqlm8Jcbb+LeeuzjY9T3mQ4ZX8cybc1jRlsL JMYL8GD3a53/+bXCDdk2HhQKUwBJ9PUDbfWa2E/pnqeJeX6naLn1LtMJ78G9gPeG81dX5Yq+ g/2bLXyWefpejlaefaM0GviCt00kG4R/mJJpHPKIPxPbOPY2REzWPoHXJpi7vTOA2R8HrFg/ QJbnA25W55DzoxlRb/nGZYG4iQ+2Eplkweq3s3tN88MxzNpsxZp475RmzgcmQpUtKND7Pw+8 zTDPmEzkHcUChMEmrhgWc2OCuAu3/ezsw7RnWV0k9Pl5AGROaDqvARUtopQ3yEDAdV6eil2z TvbrokZQca2808v2rYO3TtvtRMtmW/M/yyR233G/JSNos4lODkCwd16GKjERYj+sJsW4/hoZ RQiJQBxjnYr+p26JEvghLE1BMnTK24i88Oo8v+AngR6JBxwH7wFuEIIuLCB9Aagb+TKsf+0c HbQaHZj+wSY5FwgKi6psJxvMxpRpLqPsgl+awFPHARktdPtMzSa+kWMhXC4rJahBC5eEjNmP i23DaFWm8BE9LNjdG8Yl5hl7Zx0mwtnQas7+z6XymGuhNXCOevXVEqm1E42fptYMNiANmrpA OKRF+BHOreakveezlpOz8OtUhsew9b/BsAHXBCEEOuuUg87BTQRSeAENARAAzu/3satWzly6 +Lqi5dTFS9+hKvFMtdRb/vW4o9CQsMqL2BJGoE4uXvy3cancvcyodzTXCUxbesNP779JqeHy s7WkF2mtLVX2lnyXSUBm/ONwasuK7KLz8qusseUssvjJPDdw8mRLAWvjcsYsZ0qgIU6kBbvY ckUWkbJj/0kuQCmmulRMcaQRrRYrk7ZdUOjaYmjKR+UJHljxLgeregyiXulRJxCphP5migoy ioa1eset8iF9fhb+YWY16X1I3TnucVCiXixzxwn3uwiVGg28n+vdfZ5lackCOj6iK4+lfzld z4NfIXK+8/R1wD9yOj1rr3OsjDqOaugoMxgEFOiwhQDiJlRKVaDbfmC1G5N1YfQIn90znEYc M7+Sp8Rc5RUgN5yfuwyicifIJQCtiWgjF8ttcIEuKg0TmGb6HQHAtGaBXKyXGQulD1CmBHIW zg7bGge5R66hdbq1BiMX5Qdk/o3Sr2OLCrxWhqMdreJFLzboEc0S13BCxVglnPqdv5sd7veb 0az5LGS6zyVTdTbuPUu4C1ZbstPbuCBwSwe3ERpvpmdIzHtIK4G9iGIR3Seo0oWOzQvkFn8m 2k6H2/Delz9IcHEefSe5u0GjIA18bZEt7R2k8CMZ84vpyWOchgwXK2DNXAOzq4zwV8W4TiYi FiIVXfSj185vCpuE7j0ugp0AEQEAAcLBfAQYAQoAJgIbDBYhBKirxr6Vllfig9QtdXK25u9M WD0tBQJffU8wBQkWa0+jAAoJEHK25u9MWD0tv+0P/A47x8r+hekpuF2KvPpGi3M6rFpdPfeO RpIGkjQWk5M+oF0YH3vtb0+92J7LKfJwv7GIy2PZO2svVnIeCOvXzEM/7G1n5zmNMYGZkSyf x9dnNCjNl10CmuTYud7zsd3cXDku0T+Ow5Dhnk6l4bbJSYzFEbz3B8zMZGrs9EhqNzTLTZ8S Mznmtkxcbb3f/o5SW9NhH60mQ23bB3bBbX1wUQAmMjaDQ/Nt5oHWHN0/6wLyF4lStBGCKN9a TLp6E3100BuTCUCrQf9F3kB7BC92VHvobqYmvLTCTcbxFS4JNuT+ZyV+xR5JiV+2g2HwhxWW uC88BtriqL4atyvtuybQT+56IiiU2gszQ+oxR/1Aq+VZHdUeC6lijFiQblqV6EjenJu+pR9A 7EElGPPmYdO1WQbBrmuOrFuO6wQrbo0TbUiaxYWyoM9cA7v7eFyaxgwXBSWKbo/bcAAViqLW ysaCIZqWxrlhHWWmJMvowVMkB92uPVkxs5IMhSxHS4c2PfZ6D5kvrs3URvIc6zyOrgIaHNzR 8AF4PXWPAuZu1oaG/XKwzMqN/Y/AoxWrCFZNHE27E1RrMhDgmyzIzWQTffJsVPDMQqDfLBhV ic3b8Yec+Kn+ExIF5IuLfHkUgIUs83kDGGbV+wM8NtlGmCXmatyavUwNCXMsuI24HPl7gV2h n7RI In-Reply-To: <2024021430-blanching-spotter-c7c8@gregkh> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-bounce-key: webpack.hosteurope.de;linux@leemhuis.info;1707985086;9c9ec4e8; X-HE-SMSGID: 1raWwR-000393-WB On 14.02.24 09:00, Greg Kroah-Hartman wrote: > The Linux kernel project now has the ability to assign CVEs to fixed > issues, so document the process and how individual developers can get a > CVE if one is not automatically assigned for their fixes. > [...] This following is just nitpicking, hence feel free to ignore. > +As always, it is best to take all released kernel changes, as they are > +tested together in a unified whole by many community members, and not as > +individual cherry-picked changes. Also note that for many bugs, the > +solution to the overall problem is not found in a single change, but by > +the sum of many fixes on top of each other. Ideally CVEs will be > +assigned to all fixes for all issues, but sometimes we do not notice > +fixes in released kernels, so do not assume that because a specific > +change does not have a CVE assigned to it, that it is not relevant to > +take. There are a four "not" in the last pretty long sentence which makes it kinda hard to parse. Avoiding that could look like this: Ideally CVEs will be assigned to all fixes for all issues -- but sometimes we will fail to notice fixes, therefore assume that some changes without an assigned CVE might still be relevant to take. Or like this: Ideally CVEs will be assigned to all fixes for all issues, but sometimes we will overlook fixes -- therefore assume that some changes that lack an assigned CVE might still be relevant to take. Not sure if that really makes it better, I guess you as a native speaker are a better judge here. Ciao, Thorsten (who also wondered what "to all fixes for all issues" exactly means, but whatever)