Re: "Linux Kernel security demistified"

[Solar Designer <solar () openwall com>]

Hi Willy,

On Thu, Oct 05, 2023 at 07:59:57AM +0200, Willy Tarreau wrote:
> On Sun, Oct 01, 2023 at 09:13:03PM +0200, Solar Designer wrote:
> > I wonder whether the kernel documentation could, however, be encouraging
> > rather than discouraging (as it currently is) about issue reporters
> > themselves contacting linux-distros after a fix is ready.  I wonder if a
> > patch like that would be accepted?
>
> Just as a quick heads up on this, I discussed with Greg there and proposed
> to send a patch proposal to rework that part to take into account your now
> relaxed rules. My goal is to let the reporter decide on their own, and let
> them decide what they want to do after checking the linux-distros rules.

This sounds just right to me.  Thank you!

> There could be a good motivation for some reporters to go there because a
> number of them are first-timers who are seeking a Curriculum Vitae Enhancer
> (CVE) ID that s@k.o doesn't deal with. But I also want to remind (I know I
> may sound like a scratched record) that it's not because some may report
> there that distros will magically be aware of all security issues, given
> that those arriving on s@k.o are really a tiny portion and many more bugs
> are fixed without anyone having a security look on them.

Of course.  What makes these reports special is that the reporters often
intend to make them public as security issues, sometimes have exploits.

> I'm just too short of time for now, having to catch up with what I left
> for the 3 days of KR2023, but it's on my todo list to propose a patch to
> Greg. I'm having reasonable hopes that we can end up with something
> smoother in the near future.

Sounds great.

Please keep me and Vegard Nossum <vegard.nossum () oracle com> CC'ed on the
patch submission.

Thanks,

Alexander