Re: thoughts on kernel security issues

[Florian Weimer]

* Chris Wright:

> This same discussion is taking place in a few forums.  Are you opposed to
> creating a security contact point for the kernel for people to contact
> with potential security issues?

Would this be anything but a secretary in front of vendor-sec?

> http://www.wiretrip.net/rfp/policy.html
>
> Right now most things come in via 1) lkml, 2) maintainers, 3) vendor-sec.
> It would be nice to have a more centralized place for all of this
> information to help track it, make sure things don't fall through
> the cracks, and make sure of timely fix and disclosure.

You mean, like issuing *security* *advisories*? *gasp*

I think this is an absolute must (and we are certainly not alone!),
but this project does not depend on the way the initial initial
contact is handled.

> +      If it is a security bug, please copy the Security Contact listed
> +in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.

If this is about delayed disclosure, a few more details are required,
IMHO.  Otherwise, submitters will continue to use their
well-established channels.  Most people hesitate before posting stuff
they view sensitive to a mailing list.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/