From: Greg KH <gregkh@linuxfoundation.org>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Vegard Nossum <vegard.nossum@oracle.com>,
Jiri Kosina <jkosina@suse.cz>,
ksummit@lists.linux.dev
Subject: Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@
Date: Tue, 15 Aug 2023 21:41:06 +0200 [thread overview]
Message-ID: <2023081512-worshiper-donor-371f@gregkh> (raw)
In-Reply-To: <ZNvGKEDS2CBlUliR@char.us.oracle.com>
On Tue, Aug 15, 2023 at 02:46:27PM -0400, Konrad Rzeszutek Wilk wrote:
> ..snip..
> >
> > We used to have someone on security@k.o that would notify linux-distros
> > about problems when we had fixed them, but I think they got tired of
> > constantly keeping on top of this and stopped doing it. It's a
> > thankless job, just like being on the security@k.o alias is, and I don't
> > blame them for stopping.
>
> Hi Greg,
>
> Oracle will happily pay someone this "thankless job" (actually I think it
> is a pretty exciting job as you get to learn and try your hand on
> everything) to do this and also help with the security fixes.
The thing is, people on security@k.o are there on their own recognition,
and can not represent, nor notify, their employer of things discussed
there (otherwise the group can't really be called independent.) We have
had to remove members in the past who were only using access there for
their employer so I'm a bit hesitant to only add someone for the single
reason to funnel stuff from the list elsewhere for obvious reasons.
Others in the group are free to disagree with me about this, it's run as
a "collective" by those doing the work there, not by fiat.
Note, the people on security@k.o almost always do NOT fix the issue
reported, they are there to triage and drag in the correct maintainers
and then help review proposed changes. If you as a maintainer are drug
into the list enough times, you're asked if you want to join to save the
round-trip emails. So when people are added, it's because of problems
in their kernel area, or because they have done lots of reviews of
subsystems in ways relating to security issues, not because they are
there to fix issues in other parts of the kernel.
And again, if only the issues that are reported to security@k.o are sent
to linux-distros, the distros will only get a tiny tiny subset of the
actual bugs being fixed in the kernel on a weekly basis. Trying to get
access to this tiny feed does not solve the real issue of distros not
properly updating to get all of the needed fixes.
Also remember that some subsystems refuse to participate in
security@k.o, their fixes come in through the "normal" stable releases,
with work done on mailing lists. So again, if you only see the
security@k.o issues, you will miss major problems being resolved.
Work on solving the root problem here for your distro please, don't
fixate on the CVE nonsense dance, that provides a false sense of
security and not actual security at all.
thanks,
greg k-h
next prev parent reply other threads:[~2023-08-15 19:41 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-15 9:28 Jiri Kosina
2023-08-15 10:17 ` Vegard Nossum
2023-08-15 10:34 ` Jiri Kosina
2023-08-15 11:23 ` Greg KH
2023-08-15 12:42 ` Steven Rostedt
2023-08-15 13:17 ` Daniel Borkmann
2023-08-15 14:19 ` Laurent Pinchart
2023-08-15 22:04 ` Jiri Kosina
2023-08-15 14:20 ` Catalin Marinas
2023-08-15 14:41 ` Greg KH
2023-08-15 15:04 ` Steven Rostedt
2023-08-15 15:51 ` Greg KH
2023-08-15 15:08 ` Greg KH
2023-08-15 18:46 ` Konrad Rzeszutek Wilk
2023-08-15 19:41 ` Greg KH [this message]
2023-08-15 22:13 ` Jiri Kosina
2023-08-15 22:31 ` Steven Rostedt
2023-08-16 14:55 ` Greg KH
2024-02-16 17:14 ` Michal Suchánek
2024-02-16 17:34 ` Greg KH
2024-02-16 18:13 ` Michal Suchánek
2024-02-16 18:16 ` Jiri Kosina
2023-08-15 22:17 ` Jiri Kosina
2023-08-16 14:57 ` Greg KH
2023-08-16 17:22 ` Jiri Kosina
2023-08-16 18:38 ` Vegard Nossum
2023-08-16 15:26 ` Solar Designer
2023-08-25 11:17 ` Donald Buczek
2023-08-29 8:46 ` Miroslav Benes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023081512-worshiper-donor-371f@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=konrad.wilk@oracle.com \
--cc=ksummit@lists.linux.dev \
--cc=rostedt@goodmis.org \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox