* [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group @ 2023-06-30 7:14 Greg Kroah-Hartman 2023-06-30 7:14 ` [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling Greg Kroah-Hartman 2023-06-30 18:14 ` [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Kees Cook 0 siblings, 2 replies; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-06-30 7:14 UTC (permalink / raw) To: linux-doc; +Cc: linux-kernel, security, corbet, workflows, Greg Kroah-Hartman Because the linux-distros group forces reporters to release information about reported bugs, and they impose arbitrary deadlines in having those bugs fixed despite not actually being kernel developers, the kernel security team recommends not interacting with them at all as this just causes confusion and the early-release of reported security problems. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- Documentation/process/security-bugs.rst | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index 82e29837d589..f12ac2316ce7 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -63,20 +63,18 @@ information submitted to the security list and any followup discussions of the report are treated confidentially even after the embargo has been lifted, in perpetuity. -Coordination ------------- +Coordination with other groups +------------------------------ -Fixes for sensitive bugs, such as those that might lead to privilege -escalations, may need to be coordinated with the private -<linux-distros@vs.openwall.org> mailing list so that distribution vendors -are well prepared to issue a fixed kernel upon public disclosure of the -upstream fix. Distros will need some time to test the proposed patch and -will generally request at least a few days of embargo, and vendor update -publication prefers to happen Tuesday through Thursday. When appropriate, -the security team can assist with this coordination, or the reporter can -include linux-distros from the start. In this case, remember to prefix -the email Subject line with "[vs]" as described in the linux-distros wiki: -<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> +The kernel security team strongly recommends that reporters of potential +security issues NEVER contact the "linux-distros" mailing list until +AFTER discussing it with the kernel security team. Do not Cc: both +lists at once. You may contact the linux-distros mailing list after a +fix has been agreed on and you fully understand the requirements that +doing so will impose on you and the kernel community. + +The different lists have different goals and the linux-distros rules do +not contribute to actually fixing any potential security problems. CVE assignment -------------- -- 2.41.0 ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-06-30 7:14 [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Greg Kroah-Hartman @ 2023-06-30 7:14 ` Greg Kroah-Hartman 2023-06-30 7:21 ` Greg Kroah-Hartman 2023-06-30 18:18 ` Kees Cook 2023-06-30 18:14 ` [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Kees Cook 1 sibling, 2 replies; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-06-30 7:14 UTC (permalink / raw) To: linux-doc; +Cc: linux-kernel, security, corbet, workflows, Greg Kroah-Hartman The kernel security team does NOT assign CVEs, so document that properly and provide the "if you want one, ask MITRE for it" response that we give on a weekly basis in the document, so we don't have to constantly say it to everyone who asks. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- Documentation/process/security-bugs.rst | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index f12ac2316ce7..8b80e1eb7d79 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems. CVE assignment -------------- -The security team does not normally assign CVEs, nor do we require them -for reports or fixes, as this can needlessly complicate the process and -may delay the bug handling. If a reporter wishes to have a CVE identifier -assigned ahead of public disclosure, they will need to contact the private -linux-distros list, described above. When such a CVE identifier is known -before a patch is provided, it is desirable to mention it in the commit -message if the reporter agrees. +The security team does not assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may +delay the bug handling. If a reporter wishes to have a CVE identifier +assigned, they should contact MITRE directly. Non-disclosure agreements ------------------------- -- 2.41.0 ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-06-30 7:14 ` [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling Greg Kroah-Hartman @ 2023-06-30 7:21 ` Greg Kroah-Hartman 2023-06-30 18:18 ` Kees Cook 1 sibling, 0 replies; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-06-30 7:21 UTC (permalink / raw) To: linux-doc; +Cc: linux-kernel, security, corbet, workflows On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote: > The kernel security team does NOT assign CVEs, so document that properly > and provide the "if you want one, ask MITRE for it" response that we > give on a weekly basis in the document, so we don't have to constantly > say it to everyone who asks. > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > --- > Documentation/process/security-bugs.rst | 11 ++++------- > 1 file changed, 4 insertions(+), 7 deletions(-) > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > index f12ac2316ce7..8b80e1eb7d79 100644 > --- a/Documentation/process/security-bugs.rst > +++ b/Documentation/process/security-bugs.rst > @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems. > CVE assignment > -------------- > > -The security team does not normally assign CVEs, nor do we require them > -for reports or fixes, as this can needlessly complicate the process and > -may delay the bug handling. If a reporter wishes to have a CVE identifier > -assigned ahead of public disclosure, they will need to contact the private > -linux-distros list, described above. When such a CVE identifier is known > -before a patch is provided, it is desirable to mention it in the commit > -message if the reporter agrees. > +The security team does not assign CVEs, nor do we require them for > +reports or fixes, as this can needlessly complicate the process and may > +delay the bug handling. If a reporter wishes to have a CVE identifier > +assigned, they should contact MITRE directly. > > Non-disclosure agreements > ------------------------- > -- > 2.41.0 > If there are no objections to these, I'll take them in my tree after 6.5-rc1 is out to make it simpler. thanks, greg k-h ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-06-30 7:14 ` [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling Greg Kroah-Hartman 2023-06-30 7:21 ` Greg Kroah-Hartman @ 2023-06-30 18:18 ` Kees Cook 2023-07-02 12:39 ` Greg Kroah-Hartman 1 sibling, 1 reply; 14+ messages in thread From: Kees Cook @ 2023-06-30 18:18 UTC (permalink / raw) To: Greg Kroah-Hartman; +Cc: linux-doc, linux-kernel, security, corbet, workflows On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote: > The kernel security team does NOT assign CVEs, so document that properly > and provide the "if you want one, ask MITRE for it" response that we > give on a weekly basis in the document, so we don't have to constantly > say it to everyone who asks. > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > --- > Documentation/process/security-bugs.rst | 11 ++++------- > 1 file changed, 4 insertions(+), 7 deletions(-) > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > index f12ac2316ce7..8b80e1eb7d79 100644 > --- a/Documentation/process/security-bugs.rst > +++ b/Documentation/process/security-bugs.rst > @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems. > CVE assignment > -------------- > > -The security team does not normally assign CVEs, nor do we require them > -for reports or fixes, as this can needlessly complicate the process and > -may delay the bug handling. If a reporter wishes to have a CVE identifier > -assigned ahead of public disclosure, they will need to contact the private > -linux-distros list, described above. When such a CVE identifier is known > -before a patch is provided, it is desirable to mention it in the commit > -message if the reporter agrees. > +The security team does not assign CVEs, nor do we require them for > +reports or fixes, as this can needlessly complicate the process and may > +delay the bug handling. If a reporter wishes to have a CVE identifier > +assigned, they should contact MITRE directly. Hmm. The language about "assigned ahead of public disclosure" was added intentionally due to trouble we'd had with coordination when a CVE was needed, etc. Additionally, it IS preferred to have a CVE in a patch when it IS known ahead of time, so I think that should be kept. How about this: diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index 82e29837d589..2f4060d49b31 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -81,13 +81,12 @@ the email Subject line with "[vs]" as described in the linux-distros wiki: CVE assignment -------------- -The security team does not normally assign CVEs, nor do we require them -for reports or fixes, as this can needlessly complicate the process and -may delay the bug handling. If a reporter wishes to have a CVE identifier -assigned ahead of public disclosure, they will need to contact the private -linux-distros list, described above. When such a CVE identifier is known -before a patch is provided, it is desirable to mention it in the commit -message if the reporter agrees. +The security team does not assign CVEs, nor do we require them for reports +or fixes, as this can needlessly complicate the process and may delay +the bug handling. If a reporter wishes to have a CVE identifier assigned +ahead of public disclosure, they will need to contact MITRE directly. +When such a CVE identifier is known before a patch is provided, it is +desirable to mention it in the commit message if the reporter agrees. Non-disclosure agreements ------------------------- -- Kees Cook ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-06-30 18:18 ` Kees Cook @ 2023-07-02 12:39 ` Greg Kroah-Hartman 2023-07-03 4:08 ` Willy Tarreau 0 siblings, 1 reply; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-07-02 12:39 UTC (permalink / raw) To: Kees Cook; +Cc: linux-doc, linux-kernel, security, corbet, workflows On Fri, Jun 30, 2023 at 11:18:37AM -0700, Kees Cook wrote: > On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote: > > The kernel security team does NOT assign CVEs, so document that properly > > and provide the "if you want one, ask MITRE for it" response that we > > give on a weekly basis in the document, so we don't have to constantly > > say it to everyone who asks. > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > --- > > Documentation/process/security-bugs.rst | 11 ++++------- > > 1 file changed, 4 insertions(+), 7 deletions(-) > > > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > > index f12ac2316ce7..8b80e1eb7d79 100644 > > --- a/Documentation/process/security-bugs.rst > > +++ b/Documentation/process/security-bugs.rst > > @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems. > > CVE assignment > > -------------- > > > > -The security team does not normally assign CVEs, nor do we require them > > -for reports or fixes, as this can needlessly complicate the process and > > -may delay the bug handling. If a reporter wishes to have a CVE identifier > > -assigned ahead of public disclosure, they will need to contact the private > > -linux-distros list, described above. When such a CVE identifier is known > > -before a patch is provided, it is desirable to mention it in the commit > > -message if the reporter agrees. > > +The security team does not assign CVEs, nor do we require them for > > +reports or fixes, as this can needlessly complicate the process and may > > +delay the bug handling. If a reporter wishes to have a CVE identifier > > +assigned, they should contact MITRE directly. > > Hmm. The language about "assigned ahead of public disclosure" was added > intentionally due to trouble we'd had with coordination when a CVE was > needed, etc. Additionally, it IS preferred to have a CVE in a patch when > it IS known ahead of time, so I think that should be kept. How about > this: > > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > index 82e29837d589..2f4060d49b31 100644 > --- a/Documentation/process/security-bugs.rst > +++ b/Documentation/process/security-bugs.rst > @@ -81,13 +81,12 @@ the email Subject line with "[vs]" as described in the linux-distros wiki: > CVE assignment > -------------- > > -The security team does not normally assign CVEs, nor do we require them > -for reports or fixes, as this can needlessly complicate the process and > -may delay the bug handling. If a reporter wishes to have a CVE identifier > -assigned ahead of public disclosure, they will need to contact the private > -linux-distros list, described above. When such a CVE identifier is known > -before a patch is provided, it is desirable to mention it in the commit > -message if the reporter agrees. > +The security team does not assign CVEs, nor do we require them for reports > +or fixes, as this can needlessly complicate the process and may delay > +the bug handling. If a reporter wishes to have a CVE identifier assigned > +ahead of public disclosure, they will need to contact MITRE directly. > +When such a CVE identifier is known before a patch is provided, it is > +desirable to mention it in the commit message if the reporter agrees. I can not, in good faith, with the current mess that MITRE is going through, tell anyone that they should contact MITRE ahead of public disclosure, sorry. All I can say is "if you really want one, go ask them for one", as everyone keeps asking us for one to pad their resume/CV. Also note that many non-US-based companies are not allowed to contact a US-government-backed entity for potential security issues for obvious reasons. So I don't want to even give a hint that we support or request this at all, or that it is something that changelog texts should contain for security issues (for the obvious reason of them being a "hint" one way or another.) External groups may wish to play the CVE "game" as it facilitates their engineering procedures to get changes past managers, but that's not anything that we should be encouraging at all for all of the various geopolitical and corporate reasons involved in that mess. thanks, greg k-h ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-07-02 12:39 ` Greg Kroah-Hartman @ 2023-07-03 4:08 ` Willy Tarreau 2023-07-03 15:00 ` Greg Kroah-Hartman 0 siblings, 1 reply; 14+ messages in thread From: Willy Tarreau @ 2023-07-03 4:08 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Kees Cook, linux-doc, linux-kernel, security, corbet, workflows On Sun, Jul 02, 2023 at 02:39:49PM +0200, Greg Kroah-Hartman wrote: > On Fri, Jun 30, 2023 at 11:18:37AM -0700, Kees Cook wrote: > > On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote: > > > The kernel security team does NOT assign CVEs, so document that properly > > > and provide the "if you want one, ask MITRE for it" response that we > > > give on a weekly basis in the document, so we don't have to constantly > > > say it to everyone who asks. > > > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > > --- > > > Documentation/process/security-bugs.rst | 11 ++++------- > > > 1 file changed, 4 insertions(+), 7 deletions(-) > > > > > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > > > index f12ac2316ce7..8b80e1eb7d79 100644 > > > --- a/Documentation/process/security-bugs.rst > > > +++ b/Documentation/process/security-bugs.rst > > > @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems. > > > CVE assignment > > > -------------- > > > > > > -The security team does not normally assign CVEs, nor do we require them > > > -for reports or fixes, as this can needlessly complicate the process and > > > -may delay the bug handling. If a reporter wishes to have a CVE identifier > > > -assigned ahead of public disclosure, they will need to contact the private > > > -linux-distros list, described above. When such a CVE identifier is known > > > -before a patch is provided, it is desirable to mention it in the commit > > > -message if the reporter agrees. > > > +The security team does not assign CVEs, nor do we require them for > > > +reports or fixes, as this can needlessly complicate the process and may > > > +delay the bug handling. If a reporter wishes to have a CVE identifier > > > +assigned, they should contact MITRE directly. > > > > Hmm. The language about "assigned ahead of public disclosure" was added > > intentionally due to trouble we'd had with coordination when a CVE was > > needed, etc. Additionally, it IS preferred to have a CVE in a patch when > > it IS known ahead of time, so I think that should be kept. How about > > this: > > > > > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > > index 82e29837d589..2f4060d49b31 100644 > > --- a/Documentation/process/security-bugs.rst > > +++ b/Documentation/process/security-bugs.rst > > @@ -81,13 +81,12 @@ the email Subject line with "[vs]" as described in the linux-distros wiki: > > CVE assignment > > -------------- > > > > -The security team does not normally assign CVEs, nor do we require them > > -for reports or fixes, as this can needlessly complicate the process and > > -may delay the bug handling. If a reporter wishes to have a CVE identifier > > -assigned ahead of public disclosure, they will need to contact the private > > -linux-distros list, described above. When such a CVE identifier is known > > -before a patch is provided, it is desirable to mention it in the commit > > -message if the reporter agrees. > > +The security team does not assign CVEs, nor do we require them for reports > > +or fixes, as this can needlessly complicate the process and may delay > > +the bug handling. If a reporter wishes to have a CVE identifier assigned > > +ahead of public disclosure, they will need to contact MITRE directly. > > +When such a CVE identifier is known before a patch is provided, it is > > +desirable to mention it in the commit message if the reporter agrees. > > I can not, in good faith, with the current mess that MITRE is going > through, tell anyone that they should contact MITRE ahead of public > disclosure, sorry. > > All I can say is "if you really want one, go ask them for one", as > everyone keeps asking us for one to pad their resume/CV. > > Also note that many non-US-based companies are not allowed to contact a > US-government-backed entity for potential security issues for obvious > reasons. > > So I don't want to even give a hint that we support or request this at > all, or that it is something that changelog texts should contain for > security issues (for the obvious reason of them being a "hint" one way > or another.) > > External groups may wish to play the CVE "game" as it facilitates their > engineering procedures to get changes past managers, but that's not > anything that we should be encouraging at all for all of the various > geopolitical and corporate reasons involved in that mess. I generally agree with your points above, and these can be easily summarized by indicating that the patch will not wait for this, and suggesting that MITRE is not the only possible source: The security team does not assign CVEs, nor do we require them for reports or fixes, as this can needlessly complicate the process and may delay the bug handling. If a reporter wishes to have a CVE identifier assigned, they should find one by themselves, for example by contacting MITRE directly. However under no circumstances will a patch inclusion be delayed to wait for a CVE identifier to arrive. This puts the responsibility for finding one in time on the reporter depending on what they expect, and if they want it in the commit message, they'd rather have one before reporting the problem. Willy ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-07-03 4:08 ` Willy Tarreau @ 2023-07-03 15:00 ` Greg Kroah-Hartman 2023-07-03 18:35 ` Kees Cook 0 siblings, 1 reply; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-07-03 15:00 UTC (permalink / raw) To: Willy Tarreau Cc: Kees Cook, linux-doc, linux-kernel, security, corbet, workflows On Mon, Jul 03, 2023 at 06:08:00AM +0200, Willy Tarreau wrote: > On Sun, Jul 02, 2023 at 02:39:49PM +0200, Greg Kroah-Hartman wrote: > > On Fri, Jun 30, 2023 at 11:18:37AM -0700, Kees Cook wrote: > > > On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote: > > > > The kernel security team does NOT assign CVEs, so document that properly > > > > and provide the "if you want one, ask MITRE for it" response that we > > > > give on a weekly basis in the document, so we don't have to constantly > > > > say it to everyone who asks. > > > > > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > > > --- > > > > Documentation/process/security-bugs.rst | 11 ++++------- > > > > 1 file changed, 4 insertions(+), 7 deletions(-) > > > > > > > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > > > > index f12ac2316ce7..8b80e1eb7d79 100644 > > > > --- a/Documentation/process/security-bugs.rst > > > > +++ b/Documentation/process/security-bugs.rst > > > > @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems. > > > > CVE assignment > > > > -------------- > > > > > > > > -The security team does not normally assign CVEs, nor do we require them > > > > -for reports or fixes, as this can needlessly complicate the process and > > > > -may delay the bug handling. If a reporter wishes to have a CVE identifier > > > > -assigned ahead of public disclosure, they will need to contact the private > > > > -linux-distros list, described above. When such a CVE identifier is known > > > > -before a patch is provided, it is desirable to mention it in the commit > > > > -message if the reporter agrees. > > > > +The security team does not assign CVEs, nor do we require them for > > > > +reports or fixes, as this can needlessly complicate the process and may > > > > +delay the bug handling. If a reporter wishes to have a CVE identifier > > > > +assigned, they should contact MITRE directly. > > > > > > Hmm. The language about "assigned ahead of public disclosure" was added > > > intentionally due to trouble we'd had with coordination when a CVE was > > > needed, etc. Additionally, it IS preferred to have a CVE in a patch when > > > it IS known ahead of time, so I think that should be kept. How about > > > this: > > > > > > > > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > > > index 82e29837d589..2f4060d49b31 100644 > > > --- a/Documentation/process/security-bugs.rst > > > +++ b/Documentation/process/security-bugs.rst > > > @@ -81,13 +81,12 @@ the email Subject line with "[vs]" as described in the linux-distros wiki: > > > CVE assignment > > > -------------- > > > > > > -The security team does not normally assign CVEs, nor do we require them > > > -for reports or fixes, as this can needlessly complicate the process and > > > -may delay the bug handling. If a reporter wishes to have a CVE identifier > > > -assigned ahead of public disclosure, they will need to contact the private > > > -linux-distros list, described above. When such a CVE identifier is known > > > -before a patch is provided, it is desirable to mention it in the commit > > > -message if the reporter agrees. > > > +The security team does not assign CVEs, nor do we require them for reports > > > +or fixes, as this can needlessly complicate the process and may delay > > > +the bug handling. If a reporter wishes to have a CVE identifier assigned > > > +ahead of public disclosure, they will need to contact MITRE directly. > > > +When such a CVE identifier is known before a patch is provided, it is > > > +desirable to mention it in the commit message if the reporter agrees. > > > > I can not, in good faith, with the current mess that MITRE is going > > through, tell anyone that they should contact MITRE ahead of public > > disclosure, sorry. > > > > All I can say is "if you really want one, go ask them for one", as > > everyone keeps asking us for one to pad their resume/CV. > > > > Also note that many non-US-based companies are not allowed to contact a > > US-government-backed entity for potential security issues for obvious > > reasons. > > > > So I don't want to even give a hint that we support or request this at > > all, or that it is something that changelog texts should contain for > > security issues (for the obvious reason of them being a "hint" one way > > or another.) > > > > External groups may wish to play the CVE "game" as it facilitates their > > engineering procedures to get changes past managers, but that's not > > anything that we should be encouraging at all for all of the various > > geopolitical and corporate reasons involved in that mess. > > I generally agree with your points above, and these can be easily > summarized by indicating that the patch will not wait for this, and > suggesting that MITRE is not the only possible source: > > The security team does not assign CVEs, nor do we require them for > reports or fixes, as this can needlessly complicate the process and may > delay the bug handling. If a reporter wishes to have a CVE identifier > assigned, they should find one by themselves, for example by contacting > MITRE directly. However under no circumstances will a patch inclusion > be delayed to wait for a CVE identifier to arrive. > > This puts the responsibility for finding one in time on the reporter > depending on what they expect, and if they want it in the commit > message, they'd rather have one before reporting the problem. Oh, nice wording, let me steal that! :) thanks, greg k-h ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-07-03 15:00 ` Greg Kroah-Hartman @ 2023-07-03 18:35 ` Kees Cook 2023-07-03 19:05 ` Greg Kroah-Hartman 0 siblings, 1 reply; 14+ messages in thread From: Kees Cook @ 2023-07-03 18:35 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Willy Tarreau, linux-doc, linux-kernel, security, corbet, workflows On Mon, Jul 03, 2023 at 05:00:15PM +0200, Greg Kroah-Hartman wrote: > On Mon, Jul 03, 2023 at 06:08:00AM +0200, Willy Tarreau wrote: > > The security team does not assign CVEs, nor do we require them for > > reports or fixes, as this can needlessly complicate the process and may > > delay the bug handling. If a reporter wishes to have a CVE identifier > > assigned, they should find one by themselves, for example by contacting > > MITRE directly. However under no circumstances will a patch inclusion > > be delayed to wait for a CVE identifier to arrive. > > > > This puts the responsibility for finding one in time on the reporter > > depending on what they expect, and if they want it in the commit > > message, they'd rather have one before reporting the problem. > > Oh, nice wording, let me steal that! :) Yeah, this is good. The last sentence is a little hard to parse, so how about this, with a little more rationale expansion: However under no circumstances will patch publication be delayed for CVE identifier assignment. Getting fixes landed takes precedence; the CVE database entry will already reference the commit, so there is no loss of information if the CVE is assigned later. -Kees -- Kees Cook ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-07-03 18:35 ` Kees Cook @ 2023-07-03 19:05 ` Greg Kroah-Hartman 2023-07-03 19:26 ` Kees Cook 0 siblings, 1 reply; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-07-03 19:05 UTC (permalink / raw) To: Kees Cook Cc: Willy Tarreau, linux-doc, linux-kernel, security, corbet, workflows On Mon, Jul 03, 2023 at 11:35:37AM -0700, Kees Cook wrote: > On Mon, Jul 03, 2023 at 05:00:15PM +0200, Greg Kroah-Hartman wrote: > > On Mon, Jul 03, 2023 at 06:08:00AM +0200, Willy Tarreau wrote: > > > The security team does not assign CVEs, nor do we require them for > > > reports or fixes, as this can needlessly complicate the process and may > > > delay the bug handling. If a reporter wishes to have a CVE identifier > > > assigned, they should find one by themselves, for example by contacting > > > MITRE directly. However under no circumstances will a patch inclusion > > > be delayed to wait for a CVE identifier to arrive. > > > > > > This puts the responsibility for finding one in time on the reporter > > > depending on what they expect, and if they want it in the commit > > > message, they'd rather have one before reporting the problem. > > > > Oh, nice wording, let me steal that! :) > > Yeah, this is good. The last sentence is a little hard to parse, so how > about this, with a little more rationale expansion: > > However under no circumstances will patch publication be delayed for > CVE identifier assignment. Getting fixes landed takes precedence; the > CVE database entry will already reference the commit, so there is no loss > of information if the CVE is assigned later. "simple is better" should be the key here, reading a wall of text is hard for people, so let me just keep the one new sentance that Willy proposed and if people still struggle with the whole CVEs and security@k.o mess in the future, we can revise it again. Also, there is not really a "CVE database", I think that's what NVD from NIST does and CNNVD from China does, and "Something to be named in the future soon" will do for the EU. There is a "CVE List" at cve.org, but that thing is always out of date, and for all of this I don't want to have to try to explain it in our document as that's nothing we want to mess with :) thanks, greg k-h ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-07-03 19:05 ` Greg Kroah-Hartman @ 2023-07-03 19:26 ` Kees Cook 2023-07-03 19:35 ` Willy Tarreau 0 siblings, 1 reply; 14+ messages in thread From: Kees Cook @ 2023-07-03 19:26 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Willy Tarreau, linux-doc, linux-kernel, security, corbet, workflows On Mon, Jul 03, 2023 at 09:05:15PM +0200, Greg Kroah-Hartman wrote: > On Mon, Jul 03, 2023 at 11:35:37AM -0700, Kees Cook wrote: > > On Mon, Jul 03, 2023 at 05:00:15PM +0200, Greg Kroah-Hartman wrote: > > > On Mon, Jul 03, 2023 at 06:08:00AM +0200, Willy Tarreau wrote: > > > > The security team does not assign CVEs, nor do we require them for > > > > reports or fixes, as this can needlessly complicate the process and may > > > > delay the bug handling. If a reporter wishes to have a CVE identifier > > > > assigned, they should find one by themselves, for example by contacting > > > > MITRE directly. However under no circumstances will a patch inclusion > > > > be delayed to wait for a CVE identifier to arrive. > > > > > > > > This puts the responsibility for finding one in time on the reporter > > > > depending on what they expect, and if they want it in the commit > > > > message, they'd rather have one before reporting the problem. > > > > > > Oh, nice wording, let me steal that! :) > > > > Yeah, this is good. The last sentence is a little hard to parse, so how > > about this, with a little more rationale expansion: > > > > However under no circumstances will patch publication be delayed for > > CVE identifier assignment. Getting fixes landed takes precedence; the > > CVE database entry will already reference the commit, so there is no loss > > of information if the CVE is assigned later. > > "simple is better" should be the key here, reading a wall of text is > hard for people, so let me just keep the one new sentance that Willy > proposed and if people still struggle with the whole CVEs and > security@k.o mess in the future, we can revise it again. > > Also, there is not really a "CVE database", I think that's what NVD from > NIST does and CNNVD from China does, and "Something to be named in the > future soon" will do for the EU. There is a "CVE List" at cve.org, but > that thing is always out of date, and for all of this I don't want to > have to try to explain it in our document as that's nothing we want to > mess with :) Okay, fair, though please include something about it in the commit log so that other folks with concerns similar to Mathias Krause's will be answered: https://infosec.exchange/@minipli/110632971830936754 I still think this version of the sentence is more readable: However under no circumstances will patch publication be delayed for CVE identifier assignment. "patch inclusion" is less clear to me that "publication", and "be delayed to wait for" is redundant: a delay is a wait, and "to arrive" is just the assignment, which is the subject of the paragraph, so better to keep the language for that consistent. -Kees -- Kees Cook ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling 2023-07-03 19:26 ` Kees Cook @ 2023-07-03 19:35 ` Willy Tarreau 0 siblings, 0 replies; 14+ messages in thread From: Willy Tarreau @ 2023-07-03 19:35 UTC (permalink / raw) To: Kees Cook Cc: Greg Kroah-Hartman, linux-doc, linux-kernel, security, corbet, workflows On Mon, Jul 03, 2023 at 12:26:32PM -0700, Kees Cook wrote: > I still think this version of the sentence is more readable: > > However under no circumstances will patch publication be delayed for > CVE identifier assignment. > > "patch inclusion" is less clear to me that "publication", and "be > delayed to wait for" is redundant: a delay is a wait, and "to arrive" > is just the assignment, which is the subject of the paragraph, so better > to keep the language for that consistent. I agree, I find it better as well :-) Thanks, Willy ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group 2023-06-30 7:14 [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Greg Kroah-Hartman 2023-06-30 7:14 ` [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling Greg Kroah-Hartman @ 2023-06-30 18:14 ` Kees Cook 2023-07-03 15:00 ` Greg Kroah-Hartman 1 sibling, 1 reply; 14+ messages in thread From: Kees Cook @ 2023-06-30 18:14 UTC (permalink / raw) To: Greg Kroah-Hartman; +Cc: linux-doc, linux-kernel, security, corbet, workflows On Fri, Jun 30, 2023 at 09:14:20AM +0200, Greg Kroah-Hartman wrote: > Because the linux-distros group forces reporters to release information > about reported bugs, and they impose arbitrary deadlines in having those > bugs fixed despite not actually being kernel developers, the kernel > security team recommends not interacting with them at all as this just > causes confusion and the early-release of reported security problems. > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Yeah, this is good. It might make sense to explicitly detail the rationale in security-bugs.rst (as you have in the commit log), but perhaps that's too much detail. Reviewed-by: Kees Cook <keescook@chromium.org> -- Kees Cook ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group 2023-06-30 18:14 ` [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Kees Cook @ 2023-07-03 15:00 ` Greg Kroah-Hartman 2023-07-03 15:01 ` Greg Kroah-Hartman 0 siblings, 1 reply; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-07-03 15:00 UTC (permalink / raw) To: Kees Cook; +Cc: linux-doc, linux-kernel, security, corbet, workflows On Fri, Jun 30, 2023 at 11:14:05AM -0700, Kees Cook wrote: > On Fri, Jun 30, 2023 at 09:14:20AM +0200, Greg Kroah-Hartman wrote: > > Because the linux-distros group forces reporters to release information > > about reported bugs, and they impose arbitrary deadlines in having those > > bugs fixed despite not actually being kernel developers, the kernel > > security team recommends not interacting with them at all as this just > > causes confusion and the early-release of reported security problems. > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > Yeah, this is good. It might make sense to explicitly detail the > rationale in security-bugs.rst (as you have in the commit log), but > perhaps that's too much detail. > > Reviewed-by: Kees Cook <keescook@chromium.org> Thanks for the review. I'll keep this as-is as it's the content of the file that matters in the end. thanks, greg k-h ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group 2023-07-03 15:00 ` Greg Kroah-Hartman @ 2023-07-03 15:01 ` Greg Kroah-Hartman 0 siblings, 0 replies; 14+ messages in thread From: Greg Kroah-Hartman @ 2023-07-03 15:01 UTC (permalink / raw) To: Kees Cook; +Cc: linux-doc, linux-kernel, security, corbet, workflows On Mon, Jul 03, 2023 at 05:00:51PM +0200, Greg Kroah-Hartman wrote: > On Fri, Jun 30, 2023 at 11:14:05AM -0700, Kees Cook wrote: > > On Fri, Jun 30, 2023 at 09:14:20AM +0200, Greg Kroah-Hartman wrote: > > > Because the linux-distros group forces reporters to release information > > > about reported bugs, and they impose arbitrary deadlines in having those > > > bugs fixed despite not actually being kernel developers, the kernel > > > security team recommends not interacting with them at all as this just > > > causes confusion and the early-release of reported security problems. > > > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > > > Yeah, this is good. It might make sense to explicitly detail the > > rationale in security-bugs.rst (as you have in the commit log), but > > perhaps that's too much detail. > > > > Reviewed-by: Kees Cook <keescook@chromium.org> > > Thanks for the review. I'll keep this as-is as it's the content of the > file that matters in the end. Ok, that didn't come out well, let me try again. Let's leave the text as-is for now, thanks. greg k-h ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2023-07-03 19:35 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-06-30 7:14 [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Greg Kroah-Hartman 2023-06-30 7:14 ` [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling Greg Kroah-Hartman 2023-06-30 7:21 ` Greg Kroah-Hartman 2023-06-30 18:18 ` Kees Cook 2023-07-02 12:39 ` Greg Kroah-Hartman 2023-07-03 4:08 ` Willy Tarreau 2023-07-03 15:00 ` Greg Kroah-Hartman 2023-07-03 18:35 ` Kees Cook 2023-07-03 19:05 ` Greg Kroah-Hartman 2023-07-03 19:26 ` Kees Cook 2023-07-03 19:35 ` Willy Tarreau 2023-06-30 18:14 ` [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Kees Cook 2023-07-03 15:00 ` Greg Kroah-Hartman 2023-07-03 15:01 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox