From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tiwai@suse.de>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 991E810A9
	for <ksummit-discuss@lists.linuxfoundation.org>;
	Tue, 11 Sep 2018 12:01:01 +0000 (UTC)
Received: from mx1.suse.de (mx2.suse.de [195.135.220.15])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 285D7716
	for <ksummit-discuss@lists.linuxfoundation.org>;
	Tue, 11 Sep 2018 12:01:01 +0000 (UTC)
Date: Tue, 11 Sep 2018 14:00:58 +0200
Message-ID: <s5hr2i0z1j9.wl-tiwai@suse.de>
From: Takashi Iwai <tiwai@suse.de>
To: Justin Forbes <jforbes@redhat.com>
In-Reply-To: <CAFbkSA2spzRzya=ftfTxK3Wca=wnNwg7x2o+rM5s8s201=R3Rw@mail.gmail.com>
References: <20180911011056.GA6958@localhost.localdomain>
	<CAFbkSA2spzRzya=ftfTxK3Wca=wnNwg7x2o+rM5s8s201=R3Rw@mail.gmail.com>
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: ksummit <ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation
List-Id: <ksummit-discuss.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/ksummit-discuss>,
	<mailto:ksummit-discuss-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/>
List-Post: <mailto:ksummit-discuss@lists.linuxfoundation.org>
List-Help: <mailto:ksummit-discuss-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss>,
	<mailto:ksummit-discuss-request@lists.linuxfoundation.org?subject=subscribe>

On Tue, 11 Sep 2018 13:57:09 +0200,
Justin Forbes wrote:
> 
> On Mon, Sep 10, 2018 at 8:11 PM, Eduardo Valentin <edubezval@gmail.com> wrote:
> > Hello,
> >
> > I would like to open a discussion on improving the annotation
> > around CVE patches on the Linux kernel. Today, the kernel Documentation
> > mentions about CVE assignment and asks as a good practice to at least
> > mention the CVE  number in the patch [1]. But, is that enough?
> > Should the kernel have more info about what patches fixes a specific
> > CVE?
> >
> > Some of the challenges with current process:
> > - The info about of about what CVEs have been patched in a kernel is
> >   outside the kernel tree / git history.
> > - Today, some patches have the CVE info, and many others do not mention
> >   anything about CVE number.
> > - As mentioned in the kernel documentation [1], not always the CVE
> >   number is assigned when the patch(es) go into the kernel tree, so
> >   maybe this may require some post merge annotation?
> 
> This is also sometimes relevant when you can fix and embargoed CVE
> before embargo lifts because the actual fix doesn't make it obvious
> that there is a security issue. Obfuscation is a somewhat useful tool
> when fixing security bugs sometimes.  I would rather get the patches
> in sooner than have them be properly annotated for the security fixes
> they really are.

I hoped that git-notes could be used for such additional post-release
notes.  But it seems that it never flies well due to various
reasons...


Takashi