Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@

[Greg KH <gregkh@linuxfoundation.org>]

On Tue, Aug 15, 2023 at 03:20:00PM +0100, Catalin Marinas wrote:
> On Tue, Aug 15, 2023 at 08:42:53AM -0400, Steven Rostedt wrote:
> > On Tue, 15 Aug 2023 13:23:36 +0200
> > Greg KH <gregkh@linuxfoundation.org> wrote:
> > > Politics is a rough game, the only way to survive is to not play it for
> > > stuff like this.
> > > 
> > > So no, "distros@k.o" isn't going to be possible for the LF to host, and
> > > any other group that wants to run such a thing will quickly have these
> > > issues as well, it's amazing that linux-distros has been able to survive
> > > for as long as it has.
> > 
> > I'll have to talk with some laywers, as I'm curious to what would be
> > considered illegal about linux-distros. Are you aware of any government
> > specific laws I could go read? I'm not a lawyer, but I've read quite a bit
> > of laws that I can usually get an idea of the problem for my own
> > references (and my experience is that lawyers don't even know until
> > something is settled in court).
> 
> One thing that comes to mind is the hosting location of openwall.org.
> For some reason my employer decided to block access to it, though
> apparently one-way emails to linux-distros still work. I can see some
> politicians wondering why one sends security pre-announcements to a
> sanctioned country. For this reason, I'd much prefer an equivalent
> hosted by the LF but the foundation may not want to be in a position to
> police who's on that list, what qualifies as a Linux distro, which
> country they come from, potentially removing them based on the
> geopolitical situation of the day.

Lots of people want the LF to do such a thing, and last I heard, there
were some people potentially working on this but I do not know the
status of it, sorry.  Try asking the owners of openwall.org if you are
curious, they should know the current state.

Note, this is independant of the kernel, hence my not wanting to get
involved in it at all.

> I guess security@kernel.org can be easier to justify as a closed forum
> for fixing the actual bug with the aim to release the fix to the world
> as soon as possible. But yeah, from the disclosure perspective, I don't
> see much difference other than fewer people (well, the LF could ask for
> US gov security clearance to be on this list ;)).
> 
> FWIW, Arm does want some official pre-announcement mechanism for
> kernel bug-fixes with severe security implications. Some of our partners
> (especially those with large cloud deployments or distro vendors
> providing them with software) need a bit of time to roll out a fix and
> consider that the public disclosure via the kernel stable/linus trees is
> too late, pretty much a zero-day for them. So far we pointed them at
> linux-distros but there is a growing pressure for private disclosure
> mechanisms (only for reports originating from Arm). Maybe your idea of
> first reporting to distro security teams is not that bad.

Loads of companies/governments have been pestering us for access to
security@k.o for decades now, this isn't going to change for the obvious
reason that having such groups on the list is not going to help us fix
any problem, but instead, just give everyone early access to known
security problems.

Same thing would happen for any potential distro@k.o list, remember who
some of the largest users of Linux is (i.e. governments) and many of
them have their own custom "distros" for their systems for valid
reasons.

So no, we can't do that if you care about security overall, this would
make things insecure.

sorry,

greg k-h