Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@

[Vegard Nossum <vegard.nossum@oracle.com>]

(Sending this with a few extra people in Bcc so they'll see it without
getting spammed with replies if they don't want them.)

On 8/15/23 11:28, Jiri Kosina wrote:
> Hi,
> 
> I believe that reporters of embargoed security issues have always been
> confused about reporting to security@kernel.org vs. reporting to
> linux-distros@, as those two lists have completely different ways of
> dealing with the report (different purpose, different deadlines, different
> obligations imposed on the reporters, etc).
> 
> Our documentation originally suggested reporting to both in some "hybrid"
> mode, and the results were not great, quite often leading to confusion
> left and right.
> 
> This led to a slight update to our documentation [1], where reporters are
> discouraged from reporting kernel issues to linux-distros@ ever.
> 
> While I generally agree with the change *now*, given the current
> conditions, I would like to bring this up for discussion on how to deal
> with this longer term.

Sorry to toot this particular horn all the time, but before this update
to the security documentation I had also submitted patches to update it
to be much clearer and more explicit about the s@k.o and linux-distros
distinction:

https://lore.kernel.org/all/20230305220010.20895-1-vegard.nossum@oracle.com/

The main objection was probably this response from Greg KH, but I had
the impression he was (at the time) not totally against wording things
in this direction at some point:

https://lore.kernel.org/all/ZAWB5kwcG9IpWvE%2F@kroah.com/

I think it's worth pointing out that the latest update to the
documentation (where reporters are discouraged from reporting kernel
issues to linux-distros@ ever) came just after a private discussion (on
both mailing lists) about the StackRot/CVE-2023-3269 vulnerability where
Linus in particular came out hard against the linux-distros policy, in
particular the requirement to disclose PoCs if those were shared with
the list in the first place. I therefore think that Linus himself needs
to be involved in this discussion and that his arguments need to be made
in public instead of just paraphrased by me.

> With my distro hat on, I really want the kernel security bugs to be
> *eventually* processed through linux-distros@ somehow, for one sole
> reason: it means that our distro security people will be aware of it,
> track it internally, and keep an eye on the fix being ported to all of our
> codestreams. This is exactly how this is done for all other packages.
> 
> I would be curious to hear about this from other distros, but I sort of
> expect that they would agree.

+1 from me; the distros list has been an extremely important resource
for distros in order to get fixes shipped out with minimal delay.

I keep saying this as well: almost all users get their kernels through
distros. Very few end users build their own kernels from source; in
other words, it's not enough that a fix has been committed to
mainline/stable git to consider it fixed. The connection between
upstream git and end users is clearly the distros, so distros should be
in the loop _at some point_.

> If this process doesn't happen, many kernel security (with CVE potentially
> eventually assigned retroactively) fixes will go by unnoticed, as distro
> kernel people will never be explicitly made aware of them, and distros
> will be missing many of the patches. Which I don't think is a desired end
> effect.
> 
> I have been discussing this with Greg already some time ago, and I know
> that his response to this is "then use -stable, and you'll get everything
> automatically" (which is obviously true, because stable is represented at
> security@kernel.org), but:
> 
> - Neither us (nor RedHat, nor Ubuntu, as far as I am aware) are picking
>    stable as a primary base for distro kernels. There are many reasons for
>    this (lifecycles not matching, stable picking up way too many things for
>    taste of some of us, etc), but that's probably slightly off-topic for
>    this discussion
> 
> - For several varying reasons, our security people really struggle with
>    ensuring that whenever CVE is published, we as a distro can guarantee,
>    that fix for that particular CVE is included. linux-distros@ provides
>    that connection between bugfix and CVE report, and that is lost if the
>    fix goes only through security@kernel.org
> 
>    And yes, I hate the whole CVE thing with passion, but it unfortunately
>    exists and is seen as an industry standard by many. And with us not
>    being able to systematically / automatically guarantee that fix for
>    particulart CVE is included, Linux will be not allowed into many places.
> 
> I am currently not sure what exactly would be the solution to this.
> 
> One thing to try would of course be to discuss with linux-distros@ people
> whether they'd be willing to adjust their rules to fit our needs better;
> but before that happens, we should be ourselves clear on what our needs
> towards them actually are.
> 
> Another option might be to ensure representation of distros at
> security@kernel.org, but that would completely change the purpose of it,
> and I don't think that's desired.
> 
> ... ?

I'll throw in another idea: distros@kernel.org.

A closed list which will be notified by security@kernel.org once they
feel patches for a particular issue are ready for testing/consumption by
distros (and hopefully before the issue is disclosed publicly, if the
reporter still wishes to do that).

The members and list rules would be totally up to the security team to
decide.

> 
> [1] https://git.kernel.org/linus/4fee0915e649b
> 
> Thanks,
> 


Vegard