oss-sec mailing list archives
Re: linux-distros list policy and Linux kernel
From: Dan Carpenter <dan.carpenter () oracle com>
Date: Thu, 19 May 2022 15:41:26 +0300
What I wish we had is a private way to tell maintainers "You may want to pick up a patch." It has to be private. Sending emails to oss-security does not work. I don't know how to distributions do embargos and I don't want to be a part of that discussion. If I started disclosing bugs then I would be a part of a discussion I'm trying to avoid. I'm pretty sure a lot of employers have policy about disclosing vulnerabilities. I've never disclosed a vulnerability so I don't know Oracle's policy. Possibly sending an email to oss-security could get me fired??? Probably Linux distro maintainers would be pissed because they didn't get a heads up? Or their customers could be pissed at me? The optics of reporting bugs to oss-security are bad. The patches are always fixed in -stable. Why would people pay for an distro kernel when only the free of charge -stable tree has the patches you need? Plus the people who report bugs often want to disclose it themselves. regards, dan carpenter
Current thread:
- Re: linux-distros list policy and Linux kernel, (continued)
- Re: linux-distros list policy and Linux kernel Sam James (May 22)
- Re: linux-distros list policy and Linux kernel Greg KH (May 22)
- Re: linux-distros list policy and Linux kernel eduardo vela (May 23)
- Re: linux-distros list policy and Linux kernel Mickaël Salaün (May 24)
- Re: linux-distros list policy and Linux kernel Greg KH (May 24)
- Re: linux-distros list policy and Linux kernel Solar Designer (May 24)
- Re: linux-distros list policy and Linux kernel Solar Designer (May 24)
- Re: linux-distros list policy and Linux kernel Vegard Nossum (May 24)
- Re: linux-distros list policy and Linux kernel Sam James (May 22)
- Re: linux-distros list policy and Linux kernel Alan Coopersmith (May 19)