Re: linux-distros list policy and Linux kernel, again

[Solar Designer <solar () openwall com>]

Hi Willy,

Thank you for your helpful feedback and criticism.

I just noticed the recent ksummit list thread is also summarized by LWN:

https://lwn.net/Articles/941745/

In there, Johannes Segitz (SUSE, and a former linux-distros subscriber)
made a comment saying (among other things):

"I see the 14 day requirement by distros as the major problem in the way
it is currently run. I understand why solar designer insists on this (it
is really tricky to keep information private for any extended time), but
this then leads to people working around distros and distributing the
information up front, only to notify distros when it's basically already
solved and widely known."

I think people handling a complex issue more privately at first and only
notifying distros when no more than 14 days is left until planned public
disclosure is actually fine.  I doubt all distros need to be involved in
early analysis and fixing of a complex issue e.g. in the kernel.

On Sun, Aug 27, 2023 at 09:57:07PM +0200, Willy Tarreau wrote:
> On Sat, Aug 26, 2023 at 12:23:59AM +0200, Solar Designer wrote:
> > In terms of (linux-)distros list policy, what can we do here?  Accept up
> > to 7 days since fix is ready and thus accept arbitrarily long embargoes
> > and more likely have issues "requiring" such embargoes brought to the
> > list?  BTW, for CPU microarchitectural issues, that would probably need
> > to be for the full distros list, not limited to Linux, and from what I
> > know disclosure timelines for such issues may be 3 to 12+ months.
>
> Please note that delays are not specific to hardware issues. We've had
> to work maybe 3 months with a reporter on a randomness problem that
> allowed to some extents to guess TCP ports and sequence numbers, and it
> required us to imagine various approaches that shouldn't break TCP, and
> iterate with the researchers who studied them, tested them before getting
> back to us with "it still isn't sufficient". It was a long and painful
> one, nobody remained idle, yet it was really needed to get to the end of
> it before publishing anything. Further, the researchers asked us to keep
> some details on hold for a while because they were preparing a paper, and
> this is also something to keep in mind (some of them depened on this,
> though we must not accept that it drags for too long).

Yes, I understand that such cases and such incentives exist.  In those
cases, the issue should only be brought to (linux-)distros when it's
almost ready for publication.

That said, can you share more detail on the specific issue you referred
to above and its handling/disclosure timeline?  Was it ever brought to
oss-security, and if not then why not?

I am guessing this is related to your work on random32 in 2020:

https://lore.kernel.org/netdev/20200808152628.GA27941 () SDF ORG/

If so, it looks like the original issue became public via your commit in
July 2020, but further issues with that fix commit were discovered and
fixes for them prepared in public in August and only merged in October.

So I guess some lengthy private discussion occurred before July 2020,
but it wasn't enough anyway, which makes me question the value of having
the initial handling in private.  Maybe the issue wasn't critical enough
and privately-fixable enough for that.  Maybe this actually illustrates
that such issues are best handled entirely in public... if it were not
for the researchers' incentive you mentioned (plan to publish a paper).

> As such I think that it's not a good solution to anything to require a
> disclosure before a fix is ready. Actually there can be one exception:
> when no more progress is being made. I don't think I would personally be
> shocked by saying that a discussion that remained inactive for 7 days
> leads to publication, it would sufficiently put the pressure on all parties
> not to let it cool rot. And difficult issues generally don't stay inactive
> for more than a few days.

Makes sense.  The current kernel documentation edit should take care of
this (no linux-distros notification until fix is ready) for cases where
the reporter learns of linux-distros from there.  Maybe we should even
duplicate this information on the linux-distros wiki page?

Alternatively, we may need to relax the policy.

> > As to publishing PoCs/exploits, this is already mitigated by the Linux
> > kernel documentation edit making it less likely (but far from
> > impossible) that people would send stuff to linux-distros without being
> > aware of the policy.  We could further mitigate this issue by allowing
> > up to 30 days (but perhaps suggesting at most 7 days?)
>
> I don't think maintaining pressure on the reporter regarding the need
> for publishing reproducers is doing any good. It should be up to the
> reporter to say "please keep this confidential". We've had many of
> these on s@k.o, and it's perfectly understandable. Knowing that they
> must be very careful about what they share because it will be published
> is a big constraint, whether it's in terms of code quality, authorization
> from an employer or customer, code that was blatantly copy-pasted from
> another exploit just to help with testing, etc. All of this is useful
> for those trying to fix the problem and do not strictly need to be
> published, so it's pointless to add pressure on the reporter regarding
> this.

Via links from the new LWN story, I also found your similar comments
from 2022:

https://lwn.net/Articles/897065/

Here's a thought experiment: what if the list were not private at all,
e.g. like oss-security is not?  Sure someone can ask to "please keep
this confidential", but if it's posted to the list that would be
ineffective.  So what people sometimes do on public lists, Bugzillas,
GitHub issues, etc. is share private reproducers with individual
maintainers out-of-band, such as via direct e-mail, while keeping the
main discussion on the list, etc.  I see no good reason why the same
can't be happening on a temporarily-private list.  So the real problem
may be that (linux-)distros is misunderstood as permanently-private
rather than temporarily-private.  Unfortunately, I don't know how to
address that reliably.  Even with automated delayed publication, some
people would initially have the wrong idea... maybe unless they have to
pass through a web page with the public archives before finding the
posting address?

Alternatively, we may need to relax the policy.

Just thinking out loud.

Alexander