From: Catalin Marinas <catalin.marinas@arm.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Greg KH <gregkh@linuxfoundation.org>,
Vegard Nossum <vegard.nossum@oracle.com>,
Jiri Kosina <jkosina@suse.cz>,
ksummit@lists.linux.dev
Subject: Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@
Date: Tue, 15 Aug 2023 15:20:00 +0100 [thread overview]
Message-ID: <ZNuJkCHnaCb95zj/@arm.com> (raw)
In-Reply-To: <20230815084253.7091083e@gandalf.local.home>
On Tue, Aug 15, 2023 at 08:42:53AM -0400, Steven Rostedt wrote:
> On Tue, 15 Aug 2023 13:23:36 +0200
> Greg KH <gregkh@linuxfoundation.org> wrote:
> > Politics is a rough game, the only way to survive is to not play it for
> > stuff like this.
> >
> > So no, "distros@k.o" isn't going to be possible for the LF to host, and
> > any other group that wants to run such a thing will quickly have these
> > issues as well, it's amazing that linux-distros has been able to survive
> > for as long as it has.
>
> I'll have to talk with some laywers, as I'm curious to what would be
> considered illegal about linux-distros. Are you aware of any government
> specific laws I could go read? I'm not a lawyer, but I've read quite a bit
> of laws that I can usually get an idea of the problem for my own
> references (and my experience is that lawyers don't even know until
> something is settled in court).
One thing that comes to mind is the hosting location of openwall.org.
For some reason my employer decided to block access to it, though
apparently one-way emails to linux-distros still work. I can see some
politicians wondering why one sends security pre-announcements to a
sanctioned country. For this reason, I'd much prefer an equivalent
hosted by the LF but the foundation may not want to be in a position to
police who's on that list, what qualifies as a Linux distro, which
country they come from, potentially removing them based on the
geopolitical situation of the day.
I guess security@kernel.org can be easier to justify as a closed forum
for fixing the actual bug with the aim to release the fix to the world
as soon as possible. But yeah, from the disclosure perspective, I don't
see much difference other than fewer people (well, the LF could ask for
US gov security clearance to be on this list ;)).
FWIW, Arm does want some official pre-announcement mechanism for
kernel bug-fixes with severe security implications. Some of our partners
(especially those with large cloud deployments or distro vendors
providing them with software) need a bit of time to roll out a fix and
consider that the public disclosure via the kernel stable/linus trees is
too late, pretty much a zero-day for them. So far we pointed them at
linux-distros but there is a growing pressure for private disclosure
mechanisms (only for reports originating from Arm). Maybe your idea of
first reporting to distro security teams is not that bad.
--
Catalin
next prev parent reply other threads:[~2023-08-15 14:20 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-15 9:28 Jiri Kosina
2023-08-15 10:17 ` Vegard Nossum
2023-08-15 10:34 ` Jiri Kosina
2023-08-15 11:23 ` Greg KH
2023-08-15 12:42 ` Steven Rostedt
2023-08-15 13:17 ` Daniel Borkmann
2023-08-15 14:19 ` Laurent Pinchart
2023-08-15 22:04 ` Jiri Kosina
2023-08-15 14:20 ` Catalin Marinas [this message]
2023-08-15 14:41 ` Greg KH
2023-08-15 15:04 ` Steven Rostedt
2023-08-15 15:51 ` Greg KH
2023-08-15 15:08 ` Greg KH
2023-08-15 18:46 ` Konrad Rzeszutek Wilk
2023-08-15 19:41 ` Greg KH
2023-08-15 22:13 ` Jiri Kosina
2023-08-15 22:31 ` Steven Rostedt
2023-08-16 14:55 ` Greg KH
2024-02-16 17:14 ` Michal Suchánek
2024-02-16 17:34 ` Greg KH
2024-02-16 18:13 ` Michal Suchánek
2024-02-16 18:16 ` Jiri Kosina
2023-08-15 22:17 ` Jiri Kosina
2023-08-16 14:57 ` Greg KH
2023-08-16 17:22 ` Jiri Kosina
2023-08-16 18:38 ` Vegard Nossum
2023-08-16 15:26 ` Solar Designer
2023-08-25 11:17 ` Donald Buczek
2023-08-29 8:46 ` Miroslav Benes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZNuJkCHnaCb95zj/@arm.com \
--to=catalin.marinas@arm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=ksummit@lists.linux.dev \
--cc=rostedt@goodmis.org \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox