On Mon, Mar 06, 2023 at 07:35:34AM +0100, Willy Tarreau wrote: > On Mon, Mar 06, 2023 at 07:02:14AM +0100, Greg Kroah-Hartman wrote: > > Secondly, and the bigger one, I think we should just drop all of the > > references to linux-distros and oss-security entirely, as those are > > groups that are outside of our control and interaction and have > > different rules that we might not agree with. They also just a tiny > > subset of Linux users and companies and as such do not really reflect > > the majority of where Linux is used anymore. > > I'm wondering if instead they shouldn't just be mentioned as a warning > about the risk of leak or forced disclosure. We know that reporters may > find the address from various places, including various sites that may > enumerate the long list of potential contacts, and not just this doc. > It can be useful to have just a paragraph warning about the fact that > oss-sec is public and that linux-distros has this strict disclosure > policy without consideration for the availability of a fix, in order > to warn them to only contact such lists once the fix is available and > tested if they want to, but never before. Anything we can do to help > serious reporters (i.e. those who are really embarrassed with a bug, > not those who seek a Curiculum Vitae Enhancer) should be done. It's > always a stressful moment to report a security issue on a project, > you always fear that you might be doing an irreversible mistake, so > whatever info we can pass about the risks (or lack of) should be > welcome I guess. That's a good idea, if it can be worded in a way that reflects that is is not any sort of requirement or that it is normal part of our development process. thanks, greg k-h
