Re: [PATCH] Documentation/security-bugs: provide more information about linux-distros

[Greg KH]

On Thu, Jul 11, 2019 at 12:36:37PM -0400, Sasha Levin wrote:
> Provide more information about how to interact with the linux-distros
> mailing list for disclosing security bugs.
> 
> First, clarify that the reporter must read and accept the linux-distros
> policies prior to sending a report.
> 
> Second, clarify that the reported must provide a tentative public
> disclosure date and time in his first contact with linux-distros.
> 
> Suggested-by: Solar Designer <solar@xxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
>  Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++--------
>  1 file changed, 13 insertions(+), 8 deletions(-)
> 
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index dcd6c93c7aac..c62faced9256 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -61,14 +61,19 @@ Coordination
>  
>  Fixes for sensitive bugs, such as those that might lead to privilege
>  escalations, may need to be coordinated with the private
> -<linux-distros@xxxxxxxxxxxxxxx> mailing list so that distribution vendors
> -are well prepared to issue a fixed kernel upon public disclosure of the
> -upstream fix. Distros will need some time to test the proposed patch and
> -will generally request at least a few days of embargo, and vendor update
> -publication prefers to happen Tuesday through Thursday. When appropriate,
> -the security team can assist with this coordination, or the reporter can
> -include linux-distros from the start. In this case, remember to prefix
> -the email Subject line with "[vs]" as described in the linux-distros wiki:
> +<linux-distros@xxxxxxxxxxxxxxx> mailing list so that distribution vendors are
> +well prepared to issue a fixed kernel upon public disclosure of the upstream
> +fix. As a reporter, you must read and accept the list's policy as outlined in
> +the linux-distros wiki:
> +<https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters>.
> +When you report a bug, you must also provide a tentative disclosure date and
> +time in your very first message to the list. Distros will need some time to
> +test the proposed patch so please allow at least a few days of embargo, and
> +vendor update publication prefers to happen Tuesday through Thursday. When
> +appropriate, the security team can assist with this coordination, or the
> +reporter can include linux-distros from the start. In this case, remember to
> +prefix the email Subject line with "[vs]" as described in the linux-distros
> +wiki:
>  <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>

Do we really need to describe all of the information on how to use the
distro list here?  That's why we included the link, as it has all of
this well spelled out and described.  If anything, I would say we should
say less in this document about what linux-distros do, as that is
independent of the Linux security team.

thanks,

greg k-h