From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1B795DBA for ; Tue, 11 Sep 2018 14:37:37 +0000 (UTC) Received: from mx1.suse.de (mx2.suse.de [195.135.220.15]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 54B257C6 for ; Tue, 11 Sep 2018 14:37:36 +0000 (UTC) Date: Tue, 11 Sep 2018 16:37:34 +0200 Message-ID: From: Takashi Iwai To: Greg KH In-Reply-To: <20180911142134.GB19866@kroah.com> References: <20180911011056.GA6958@localhost.localdomain> <20180911142134.GB19866@kroah.com> MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: Justin Forbes , ksummit Subject: Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Tue, 11 Sep 2018 16:21:34 +0200, Greg KH wrote: > > On Tue, Sep 11, 2018 at 02:00:58PM +0200, Takashi Iwai wrote: > > On Tue, 11 Sep 2018 13:57:09 +0200, > > Justin Forbes wrote: > > > > > > On Mon, Sep 10, 2018 at 8:11 PM, Eduardo Valentin wrote: > > > > Hello, > > > > > > > > I would like to open a discussion on improving the annotation > > > > around CVE patches on the Linux kernel. Today, the kernel Documentation > > > > mentions about CVE assignment and asks as a good practice to at least > > > > mention the CVE number in the patch [1]. But, is that enough? > > > > Should the kernel have more info about what patches fixes a specific > > > > CVE? > > > > > > > > Some of the challenges with current process: > > > > - The info about of about what CVEs have been patched in a kernel is > > > > outside the kernel tree / git history. > > > > - Today, some patches have the CVE info, and many others do not mention > > > > anything about CVE number. > > > > - As mentioned in the kernel documentation [1], not always the CVE > > > > number is assigned when the patch(es) go into the kernel tree, so > > > > maybe this may require some post merge annotation? > > > > > > This is also sometimes relevant when you can fix and embargoed CVE > > > before embargo lifts because the actual fix doesn't make it obvious > > > that there is a security issue. Obfuscation is a somewhat useful tool > > > when fixing security bugs sometimes. I would rather get the patches > > > in sooner than have them be properly annotated for the security fixes > > > they really are. > > > > I hoped that git-notes could be used for such additional post-release > > notes. But it seems that it never flies well due to various > > reasons... > > I do remember a tree somewhere on github that had a tracking between > cves and kernel commits. It was a pain to keep up to date, but the > author was doing a good job for a number of months. > > Can't find it now... > > Anyway, the main problem here is that almost all the time, CVEs are > assigned _after_ the patch is in the kernel tree. And we can't go back > in time to change a changelog entry. Actually, git-notes is exactly for that purpose: adding notes after the commit. Say, you have a shiny new CVE for the commit in 4.19-rc2, and you can put the CVE number in each commit via git-notes. Then git-log will show that notes, and you can search over the notes in a (sort of) namespace, too. The same would work for the reverse-mapping of Fixes tag, too, BTW. The pain point of git-notes is the way to share the notes. Also it's not really scalable. But for the amount of CVE numbering, it should suffice, I guess. > Also, what about huge series of patches all to fix one CVE? What would > you put down for the single Meltdown commit? > > So this is up to those that wish to track these types of things, good > luck! > > And yes, this is my "CVEs are a joke" feelings coming through here, > sorry if you are someone who has to treat them as something important... Heh, I share your feeling :) thanks, Takashi