Re: linux-distros list policy and Linux kernel

[eduardo vela <evn () googlers com>]

On Mon, 23 May 2022, 08:35 Greg KH, <greg () kroah com> wrote:

> On Sun, May 22, 2022 at 08:55:50PM +0100, Sam James wrote:
> > I'd also like to ask that the final commit messages please reference any
> > relevant CVEs or at least the security impact. There've been a fair
> number
> > of incidents where such information is stripped and it makes tracking
> > issues *really* hard.
>
> That is pretty much impossible and goes against the whole goal of "get
> this fixed and in a public tree and only tell the world that it was an
> issue after-the-fact" way that the kernel team works.  If we put all of
> that in the commit to start with, the whole world knows this info.  We
> can't go back in time and change git commits for obvious reasons.

Hi all

Regarding keeping the security relevance of the patch secret.

Something we are working on now (as the Google CNA) is to automatically
generate CVEs for Syzkaller findings that meet some criteria (unique, with
reproducer, and with some heuristics to determine the type of crash, eg
KASAN+uaf). We would also monitor advisories from distros to catch
duplicate CVEs and not issue them in those cases.

The reason I mention it in this list is because a CVE would be issued (and
maybe communicated to oss-security@ to avoid duplicate CVEs), which might
also automatically break embargos. That said, I hope that's OK, as
Syzkaller is just a subset of security vulnerabilities being disclosed on
the Kernel.

If you have feedback about the overall concept, please send it off-list (or
start a new thread) as to avoid derailing the topic, but I wanted to bring
it up because it might appear as willing violations of Embargo on the new
linux-distros@ process being proposed.

Regards


thanks,
> gre gk-h