On Fri, Jul 19, 2019 at 10:42:15AM +0200, Solar Designer wrote: > - The reporter having been directed to post from elsewhere (and I > suspect this documentation file) without being aware of list policy. Perhaps specify "linux-distros@" without a domain, so it's more clear? Or re-split the Wiki into two pages to avoid confusion? > - The reporter not mentioning (and sometimes not replying even when > asked) whether they're also coordinating with security@k.o or whether > they want someone on linux-distros to help coordinate with security@k.o. > (Maybe this is something we want to write about here.) Yeah, that seems useful to include in both places. > - The Linux kernel bug having been introduced too recently to be of much > interest to distros. Right; that'd be good to add as well. I see a lot of panic on twitter, for example, about bugs that only ever existed in -rc releases. > > Sending to the distros@ list risks exposing Linux-only flaws to non-Linux > > distros. > > Right. > > > This has caused leaks in the past > > Do you mean leaks to *BSD security teams or to the public? I'm not > aware of past leaks to the public via the non-Linux distros present on > the distros@ list. Are you? I don't know the origin of the leaks, but it only happened when distros@ was used instead of linux-distros@. I think this happened with DirtyCOW, specifically. -- Kees Cook
