Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp608931rdb; Thu, 15 Feb 2024 09:38:13 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUKJWZ1c7Fw16lcb05HmlXgQ8InFUDWZJiQyRw+riFt/PZo8HAMbFeXAzoGkcxbfIbSsVFaay72dwpezv0wgWOol4HJO9rrByeMsZq3iQ== X-Google-Smtp-Source: AGHT+IGjufCGZcvZmG8oSLUZbPTdPSm1Ck3iyQsMUk+pmlBCf6vRBW4I/TXkQDOYGUCg6WY67o+W X-Received: by 2002:a05:620a:1463:b0:787:3820:904 with SMTP id j3-20020a05620a146300b0078738200904mr1808611qkl.13.1708018693451; Thu, 15 Feb 2024 09:38:13 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708018693; cv=pass; d=google.com; s=arc-20160816; b=aXvy345TNpVEKF9lhXB5ORm0B7JKs6VcZ38z4yFKh1HB0NNAaBOSr+/lx1EfmYuG9M LvbY5gI6GcVIJ3ye49YF3d9jT3kD11pj36tQIyVXSEeoWPkh1aW2jAme8ngci4B59E9/ JQfg6smbbm+2TwApogNWxZ3lZEYZ2nsxQE6UOebq80N+dmzf3ubsajP8STIZ8b08dh7u Uud8IJh4je9PGGnGdp4H+oUtVHpfLhdUfHOgoXuinkrdns0/MP1D22Bd3SXvwZe/75wh 5FAj1x3rCoXF3L+yv+/Bw7fWqbd0sHNMOTEKImm87WzKAvlK0q+q6FAnRxbsY7diTJ04 WSlw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:references:message-id:in-reply-to:subject:cc:to:from :date:dkim-signature; bh=3m2gHavkCtHHAVYGDKATdWv83Zl2K8sN/KhdXovtXz0=; fh=Hh0zJ1rB05heMcwOscsgSOw4tB1grt1FYVSjSDPZatQ=; b=vJXXR8ebdCb1fMw4sir4zZFBwegizgmCkXZBa0f84skN11ELQf0gBFItU0LygbcizX WFOobstaGUnBNOyoOnY7Q9TIttPritbnjOE1SiOelH899R164zw19BhPw4DLdS/XOB3e 2RjlUdDxzkX3ygFAIAnQGT5xzxRGnvxd8dbkDm7EB40V+7Byyq8kZ4TZWRmuAbp86Fn/ C0R6Q1aFzMAvRTlycY2OSVnmpfAJXaOAjuK9B3JuzKcrgJpToUFghoY3ur/1zPHsLM8M 2ZzH+nvgD7Nh4VO724kPKk1a3RRqoWVFJAK5R+qrfGzGIm775Rztr/VgineEo/Jl365t kvaw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RbzvRZv9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-67417-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67417-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id j5-20020a37ef05000000b00785d9a6c77dsi1960247qkk.450.2024.02.15.09.38.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 09:38:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-67417-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RbzvRZv9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-67417-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67417-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1E5731C22E64 for ; Thu, 15 Feb 2024 17:38:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 821D01369AB; Thu, 15 Feb 2024 17:38:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RbzvRZv9" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D3C613667A; Thu, 15 Feb 2024 17:38:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708018685; cv=none; b=s/LtycdRyLSTX1RIqfuEv8rajVRyvh5fPBVRculZbJWiuS3WrpOAPBkQcjiRXY93HqgJO+GZ7lA7cbChp8YiQPYWlCPtEqDxykPyX0wuhlPWJP/YQrJo5h1Fbl+3Y4hkEvL6s3sYQXPiIdR716xcYx2LCKcqHBcQTc2HZNPeP08= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708018685; c=relaxed/simple; bh=Qpm4U+Chvatig2Wj7kHJn2NI5GBwUCXx8r+p3JB+ZwM=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=M5C/GSz2TuzDTH3LlBPO8BbazUu4y9lCtF5St8rCflYpFbRblweZOF61fU+w3MCZsHX7dkUPAgrBPpjMjMXyYU+wncWW4D9Iu0iJeJBZTkCQsEi5DxgZZ/9ATsNxWtpai2My32+W9A6SjnAwTNHgNcAYprmsAwHwD7cWY57qSO0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RbzvRZv9; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id B133FC433A6; Thu, 15 Feb 2024 17:38:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708018685; bh=Qpm4U+Chvatig2Wj7kHJn2NI5GBwUCXx8r+p3JB+ZwM=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=RbzvRZv9VHh81xZgTipc+cyHotQf0QrKw8tdJnBwMuBKSriJLu1P+2WDrlWbEGa7S fvWYE1oRqENHoFFddwxPZnXGD+D5p9+f8k6q+hneW7/yL8KQZz5CmWNfVyvPBx0yGN pIoe3VZ9r/F3GXRoycqe/3oaqxc3vSqVofCl28hdJhrBZq9PI89WCF2zo0AtMzIdwc QQWPI7B0rpPhtwjlFT7O/sRJJ9EeoOEyYYx9yle9TG2TyvIyq8r5/9r6NBW13+JCgw zMMM+iW6t8oI+LaLDx3hR8GV957pOhAFThPIkDYn2o+80SjypEzmuxy9AnKQ914Y/v fI/3ShfGjJCtA== Date: Thu, 15 Feb 2024 18:38:05 +0100 (CET) From: Jiri Kosina To: Greg Kroah-Hartman cc: corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, linux@leemhuis.info, Kees Cook , Konstantin Ryabitsev , Krzysztof Kozlowski , Lukas Bulwahn , Sasha Levin , Lee Jones Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process In-Reply-To: <2024021500-laziness-grimace-ed80@gregkh> Message-ID: References: <2024021500-laziness-grimace-ed80@gregkh> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote: > The Linux kernel project now has the ability to assign CVEs to fixed > issues, so document the process and how individual developers can get a > CVE if one is not automatically assigned for their fixes. There is still one thing that's not clear to me with this new process, and that's how embargos are going to be handled. Currently, the process is broken as well, but at least understood by everybody. - issues are reported to security@kernel.org. No CVE assigned, 7days embargo, then fix gets pushed out - at some point (in parallel, before, or after the above), the issue gets reported to linux-distros@. CVE gets assigned, and downstreams start integrating the fix (once available) to their codebase. - embargo is lifted, fixes are released with proper CVE reference How is the new process going to look like? Please keep in mind that linux-stable is (by far!) *not* the only downstream of Linux Kernel project. We've had this discussion in other contexts already, but I whole-heartedly believe that it's in no way in the Linux Kernel project's interest to kill those other downstreams (read: Linux distros) (*) ... or is it? (*) just looking at how much those not-basing-on-stable distros are contributing to mainline Thanks, -- Jiri Kosina SUSE Labs