mailing list archives
Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow)
From: Greg KH <greg () kroah com>
Date: Mon, 4 Mar 2013 11:52:54 +0800
On Mon, Mar 04, 2013 at 06:57:23AM +0400, Solar Designer wrote:
Note that I am not even asking you to reconsider. I have little hope
that you would, as you appeared to have a firm opinion on this.
I merely mentioned this aspect, with no intent to prompt a discussion of
it. That said, I've commented inline, just to clear up your confusion.
Thanks for doing this.
You bring up a bunch of issues that
the distros need to consider, what can the Linux kernel security team do
Post to oss-security on commit day.
You know why we will not do that, sorry.
Optionally, also notify linux-distros a few days before the commit.
We don't usually have "days" before things are committed. We find out
about a problem, we make up a fix, and it is committed. Usually all
within 1-2 days. Sometimes things take longer to fix, but usually it's
Overall, I think we should bite the bullet and accept sko's
notifications to linux-distros, with a grace period of up to 7 days.
Whenever a distro is ready to release an update, they should be able to
insist on doing so within another 1 day, even if the initially planned
grace period would expire later. Would sko be OK with this? Greg?
Again, I don't think anyone that is part of security () kernel org minds
about having the issues publicized, after linux-distro has their time
to get things fixed and to their users. If the linux-distro people care
about that, that does not seem to be a security () kernel org group issue,
Right, but since you previously refused to notify oss-security right
away, I thought that you could possibly stipulate that you'd only keep
notifying linux-distros if the linux-distros folks keep the issues from
hitting oss-security for at least a certain amount of time, or at least
until fixes are available (from at least one distro? from all?), or
whatever. If you're fine with letting linux-distros decide on this
fully on their own, and you would not stop notifying linux-distros if
you deem that they fully-disclose the issues publicly "too soon", that's
great (and logical)!
As far as I am concerned, I trust linux-distros to manage this in a sane
and proper manner, and they can notify the world when they decide to do
so. If that trust is somehow broken, we can revisit the issue in the