On 3/6/23 07:02, Greg Kroah-Hartman wrote:
On Sun, Mar 05, 2023 at 11:00:03PM +0100, Vegard Nossum wrote:
Lots of people have been confused about the 7/14 days of the kernel list
vs. the 7/14 days of the distros list, the fact that these are two
separate lists, etc. Many reporters contact distros first, or submit
their report to both lists at the same time (which has the unfortunate
effect of starting off the disclosure countdown for the distros list
before s@k.o has had a chance to look at the report). I've shared the v2
document with a couple of people who submitted reports and they said
they found it a lot clearer.
Probably the easiest way to see the end result of this series is to view the
rendered HTML which I've put here:
https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html
Thanks for doing this, it looks much better, but I do have some
objections with it.
First off, you didn't cc: the security@k.o group to see if they agree
with this, any specific reason why? :)
I did consider it, but thought it was better not to since this is not
a security issue -- but I see it's actually listed in MAINTAINERS (in an
entry I'm changing, no less... *facepalm*)
Added to Cc, beginning of the thread is here:
https://lore.kernel.org/all/20230305220010.20895-1-vegard.nossum@xxxxxxxxxx/
Secondly, and the bigger one, I think we should just drop all of the
references to linux-distros and oss-security entirely, as those are
groups that are outside of our control and interaction and have
different rules that we might not agree with.
I find this a strange sentiment. All the major Linux distros have a
presence on the distros list and it remains a valuable resource for
coordination.
I think most of the friction of the past should have been resolved by
the distros list actually updating its rules last year (if not 100%
according to your wishes, at least a good step in that direction), any
remaining problems should hopefully be resolved by improving the
documentation so that issues are not sent to the distros list prematurely.
They also just a tiny subset of Linux users and companies and as such
do not really reflect the majority of where Linux is used anymore.
Is the elephant in the room that Android vendors are not rolling out
kernel updates in the 7-14 days given by distros to publicly disclose
the reported issues? If so, then I think this is the real issue here,
and it should be stated outright.
But overall I like the slimmer size, so perhaps the end result just
being the first two major sections would be best. Let me take those
changes first and we can see how the result looks for now to see if that
will resolve some of the major issues the security@k.o group have right
now with reports (i.e. CVE requests, other group's disclosure rules and
dates).
I personally think it would be a mistake not to include the info about
the other lists, both because I think they have real value (and I do
think they represent Linux kernel users, if not kernel developers) but
also because, as Willy said, people will find the wrong information
elsewhere and submit issues anyway, people are still going to want to
request CVEs (regardless of what you or I think about them), etc.
Anyway, I don't represent s@k.o so I don't decide, I really just want
security for end users and as responsible disclosure as we can hope for.
The patches are out there so feel free to use whatever you want from them.
Thanks for looking it over.
Vegard
