On Thu, Jul 18, 2019 at 06:51:07PM -0700, Kees Cook wrote: > On Thu, Jul 18, 2019 at 08:39:19PM -0400, Sasha Levin wrote: > > On Thu, Jul 18, 2019 at 03:00:55PM -0700, Kees Cook wrote: > > > On Wed, Jul 17, 2019 at 07:11:03PM -0400, Sasha Levin wrote: > > > > Provide more information about how to interact with the linux-distros > > > > mailing list for disclosing security bugs. > > > > > > > > Reference the linux-distros list policy and clarify that the reporter > > > > must read and understand those policies as they differ from > > > > security@xxxxxxxxxx's policy. > > > > > > > > Suggested-by: Solar Designer <solar@xxxxxxxxxxxx> > > > > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> > > > > > > Sorry, but NACK, see below... I like Sasha's PATCH v2 better, but if Kees insists on NACK'ing it then I suggest that we apply Sasha's first revision of the patch instead. I think either revision is an improvement on the status quo. > I think reinforcing information to avoid past mistakes is appropriate > here. Maybe, but from my perspective common past issues with Linux kernel bugs reported to linux-distros were: - The reporter having been directed to post from elsewhere (and I suspect this documentation file) without being aware of list policy. - The reporter not mentioning (and sometimes not replying even when asked) whether they're also coordinating with security@k.o or whether they want someone on linux-distros to help coordinate with security@k.o. (Maybe this is something we want to write about here.) - The Linux kernel bug having been introduced too recently to be of much interest to distros. > Reports have regularly missed the "[vs]" detail or suggested > embargoes that ended on Fridays, etc. This happens too. Regarding missing the "[vs]" detail, technically there are also a number of other conditions that also let the message through, but those are changing and are deliberately not advertised. > Sending to the distros@ list risks exposing Linux-only flaws to non-Linux > distros. Right. > This has caused leaks in the past Do you mean leaks to *BSD security teams or to the public? I'm not aware of past leaks to the public via the non-Linux distros present on the distros@ list. Are you? Alexander
