Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp615898rdb; Thu, 15 Feb 2024 09:51:34 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXZiMikdQWiXb2g0/DBfpDDgugU8VMq3lBwshnyqo4q7zP//fIt6L6ommeFt9a0xUACmYh6fcsPtqipL3bGtNokKidmqwKkVQb47r+4vw== X-Google-Smtp-Source: AGHT+IEL9ysgny7mMuPpLfY/P6daK7y2eJxxtRNae4rd6Ei0y3dZQY+2vO+3IIzqzGzfThiwebiq X-Received: by 2002:a05:6808:f11:b0:3c0:4128:3b85 with SMTP id m17-20020a0568080f1100b003c041283b85mr3223616oiw.22.1708019494700; Thu, 15 Feb 2024 09:51:34 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708019494; cv=pass; d=google.com; s=arc-20160816; b=RbSqb4qorxxl4nijiOuTM5rU3C1Q6ZrOnB0KDWAY4WQab6c2wQSFWh7chSCAN+GNT4 Mabxg97LmakkO9GfvbuPjOAP7wqRzGDcLtFHi96+gW0/m41oIbJesnF9E7zbzpx1kn6n M2NiII6GxQ5okTT8gqVdchLGG/pSKLXmJANvFpUgAZkVfS0qyJoN9WNQj7vDDQC5P2Pq C5vN9ww4pG0qDz5Pb4fPmkJUB4s0KOtfZaDBb9e8oLvxipunS1OWb70uwVMK2r1So9WC uW/IjLDI0e9LCgplmW2M/PI1kgGG6dgQ8WuEMzhlpjMqzQoOhfRSiUIQJvJ2rWWX1IRj QWYw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=euwNFb4WZ2vDBa4x0+RNVUSxXivU/yDKQHaVWO+cqg8=; fh=46hdZIXHIBCivHRyKvm+wRtJYnptyl+ar0aCTXNvy78=; b=O8IS3aqNnXAMW7QCe+RwV+YJ7x04e6IbETaubY1Ipmuts4hgpS4w2jxw3afoha0NsN 5RRdSVlyYyEOZcxZvS0Bkw2LPCetpXqSBpazgk0Mf4L47CVIUPHV5p4oLvM7nRwBl5Wo barYQ0KK/N73KZQ2QD2kS6AlOgfenfD/pCr2xYLCTOSP9c9r7lqhahKW+Got8evdCaHg rLcamR3aRlNTWnRPdg2VyD6YyXmYf4r8J8TYuGJJ3jppwlu6UEcbQkK+X1nwDKg/Z2xn uqVcc97qpEN1P6J9UP/xi29BOE4kMmYjPuHD6COx6geSPaSMl+CNWUQbTPjTjvIRkMjy szhw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uOe3plOE; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-67441-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67441-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id kd26-20020a056214401a00b0068c4223caaasi1892732qvb.224.2024.02.15.09.51.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 09:51:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-67441-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uOe3plOE; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-67441-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67441-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 7D92E1C2135B for ; Thu, 15 Feb 2024 17:50:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 33766137C54; Thu, 15 Feb 2024 17:50:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="uOe3plOE" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39FB5132C04; Thu, 15 Feb 2024 17:50:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708019403; cv=none; b=BeRHgq8h/b2P6WLOe3saNfRtuZc+YFCizSXk4nA5OCIEFMAfhz+yR3lWb+xJY3TipJjcGh0KegdOo3hP5kYySco1Xk8m4u7NkmzHdm/rB95Z9j5SHI3rw/jluHD7i2r/+76E8PStzPw5YFUIB2mDb4ONQrhe90OHnPpVYCPHY5E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708019403; c=relaxed/simple; bh=6iQEyzYwkfviCF0e55aaTe03PfZ0ULlRw8Re/HVfXG4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=JxRnF6QcBZ+VtCu7Fitb0xRl99d0m0wVSDNLTbvKmbnKJjr5DwQv7RAMPruKNwHSgAFFhF3FMBbGLE37X/3f2+JvVQcy+FUs4/kYB5i3e6bLtOv0RJJ4Vh5BpWt/9gVRIOMsSW16jPKJGk/RoO/wZME1a5ZuDs46q00jIlThlvM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=uOe3plOE; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5CDCDC433C7; Thu, 15 Feb 2024 17:50:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1708019402; bh=6iQEyzYwkfviCF0e55aaTe03PfZ0ULlRw8Re/HVfXG4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=uOe3plOEdv4hi0f9UwZO1CKVPuo7vyj8zfyB/Vcjs79ilrzKx2dCW7wkj2WIW6xRp lY4lvr+dDPR+87ZGwsahxBrziCUjClG3S8DwVGeKSu6YdjdWM1Ci8VcdQTppTwQ5yF YdbPga9Kf9il4NVPS7eqyfAuJhpRcgkbZhFLQfFU= Date: Thu, 15 Feb 2024 18:49:59 +0100 From: Greg Kroah-Hartman To: Oleksandr Natalenko Cc: Lukas Bulwahn , corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, Kees Cook , Sasha Levin , Lee Jones Subject: Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process Message-ID: <2024021518-repressed-sinless-7111@gregkh> References: <2024021430-blanching-spotter-c7c8@gregkh> <2024021532-commode-knickers-3895@gregkh> <12454500.O9o76ZdvQC@natalenko.name> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <12454500.O9o76ZdvQC@natalenko.name> On Thu, Feb 15, 2024 at 05:10:50PM +0100, Oleksandr Natalenko wrote: > Hello. > > On čtvrtek 15. února 2024 13:04:56 CET Greg Kroah-Hartman wrote: > > On Wed, Feb 14, 2024 at 09:34:38AM +0100, Lukas Bulwahn wrote: > > > On Wed, Feb 14, 2024 at 9:01 AM Greg Kroah-Hartman > > > wrote: > > > > > > > > The Linux kernel project now has the ability to assign CVEs to fixed > > > > issues, so document the process and how individual developers can get a > > > > CVE if one is not automatically assigned for their fixes. > > > > > > > > Reviewed-by: Kees Cook > > > > Signed-off-by: Greg Kroah-Hartman > > > > Signed-off-by: Sasha Levin > > > > Signed-off-by: Lee Jones > > > > --- > > > > v3: fix up wording in security-bugs.rst based on the changes to the cve > > > > assignment process from v1, thanks to a private reviewer for > > > > pointing that out. > > > > v2: Grammer fixes based on review from Randy > > > > Updated paragraph about how CVE identifiers will be assigned > > > > (automatically when added to stable trees, or ask us for one > > > > directly before that happens if so desired) > > > > > > > > > > Hi Greg, Sasha, Lee, > > > > > > Generally, I think this is a great step forward on the whole "security > > > vulnerability mess" and this will certainly help me and others in the > > > embedded space to argue to update to recent stable kernel versions. > > > This can then finally put the practice of shipping multiple-year-old > > > kernel versions to an end. Often this was just done with the argument > > > that there is not a recent CVE and fix assigned to some recent stable > > > kernel version---and integrators think updates to recent kernel stable > > > versions are not needed and not recommended. > > > > > > I am looking forward to seeing what and how many stable commits are > > > going to get CVEs assigned. If Greg's policy from the Kernel Recipes > > > 2019 presentation comes into play, every git kernel hash (GKH)---at > > > least in the stable tree---could get a CVE identifier (just to be on > > > the safe side). But I assume you are going to use some expert > > > knowledge, heuristics or some machine-learning AI to make some commits > > > in the stable tree carrying a CVE identifier and some others not. > > > > Yes, that "expert knowledge" will be "review all patches by hand" just > > like we do today for all that are included in the stable trees. > > Not undermining your efforts in any way, but I'd like to get an honest answer: is this really true? For instance, > > $ git log --oneline v6.7.1..v6.7.2 | wc -l > 641 > > Is it physically possible to actually review all these backports in just five days? I did, yes. And have been doing so for 15+ years, practice makes it easier :) thanks, greg k-h