Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20220524132929.GA29337@openwall.com>
Date: Tue, 24 May 2022 15:29:29 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list policy and Linux kernel

On Sun, May 22, 2022 at 09:19:51PM +0200, Solar Designer wrote:
> it looks like Vegard
> Nossum and maybe Thadeu Lima de Souza Cascardo intend to propose changes
> to the kernel's Documentation/admin-guide/security-bugs.rst:
> 
> On Fri, May 20, 2022 at 10:14:07AM +0200, Vegard Nossum wrote:
> > I'll respond a bit later with a slightly more detailed option that also
> > includes potential modifications to the in-kernel documentation as
> > displayed on kernel.org.

Reports of Linux kernel issues sent to linux-distros tend to ignore our
policies - not only in terms of the aspect that started this thread, but
also in that the reporter doesn't propose a specific date/time for
making the issue (fully) public (maybe doesn't intend to do so
themselves at all) and doesn't know/care/want to make a possible PoC
public (if they shared that with linux-distros).

Overall, it looks like they're not reading our policy at all until we
ask them to.

Documentation/admin-guide/security-bugs.rst gives the list posting
address and mentions the [vs] prefix.  It also does link to the wiki,
but that makes actually visiting the wiki and reading the policy
technically optional.  Maybe only the wiki link should be kept, and the
posting address removed.  Alternatively, if a dependency on the wiki is
undesirable, maybe the Linux kernel documentation should include a copy
of linux-distros instructions for reporters (copied from the wiki,
including the posting address) in a nearby text file (and add to it the
wiki link for a possibly more current revision), and refer to that.

There's also this:

"Distros will need some time to test the proposed patch and will
generally request at least a few days of embargo"

which kind of goes against our request that the reporter be the first to
propose a tentative public disclosure date/time.  So I suggest the above
phrase be dropped.

If there are no objections, Vegard can you please suggest specific edits
accordingly, and if there are no objections to those either, then submit
them as a patch?

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.