On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote:
On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote:
Provide more information about how to interact with the linux-distros
mailing list for disclosing security bugs.
Reference the linux-distros list policy and clarify that the reporter
must read and understand those policies as they differ from
security@xxxxxxxxxx's policy.
Suggested-by: Solar Designer <solar@xxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
Sorry, but NACK, see below...
---
Changes in v2:
- Focus more on pointing to the linux-distros wiki and policies.
I think this is already happening in the text. What specifically do you
want described differently?
The main issue was that there isn't anything pointing to the
linux-distros policies. The current text outlines a few of them ("add
[vs]", and "there should be an embargo period"), but it effectively just
gives out the linux-distros mailing address and tells the reporter to
contact it.
- Remove explicit linux-distros email.
I don't like this because we had past trouble with notifications going
to the distros@ list and leaking Linux-only flaws to the BSDs. As there
isn't a separate linux-distros wiki, the clarification of WHICH list is
needed.
Why would removing the explicit linux-distros email encourage people to
send reports to it?
I also don't understand what you mean by "there isn't a separate
linux-distros wiki"? There is one, and I want to point the reporter
there.
- Remove various explanations of linux-distros policies.
I don't think there's value in removing the Tue-Thu comment, nor
providing context for why distros need time. This has been a regular
thing we've had to explain to researchers that aren't familiar with
update procedures and publication timing.
To be fair, the Tue-Thu comment is listed in the section describing how
to do coordination with linux-distros, and linux-distros don't have a
Tue-Thu policy. If it's a security@xxxxxxxxxx policy then let's list it
elsewhere.
If you feel that there is a consensus around Tue-Thu let's just add it
to the linux-distros policy wiki, there's no point in listing random
policies from that wiki.
--
Thanks,
Sasha