Re: "Linux Kernel security demistified"

[Jean Luc Picard <atari2600a () gmail com>]

Hey just dropping in as I do, I really appreciated the talk once it hit the
linux foundations channel & I got to watching it.  It flowed really really
well, Very thought-provoking to the point of making the whole thing seem
like 15 minutes rather than an hour.  I haven't been as enamered with a
discussion of security philosophy since I watched CISSP test-prep so I
could crash-course CISSP without having to actually pay for it (for fun).

On Thu, Oct 5, 2023 at 6:02 AM Willy Tarreau <w () 1wt eu> wrote:

> Hi Alexander,
>
> On Sun, Oct 01, 2023 at 09:13:03PM +0200, Solar Designer wrote:
> > I wonder whether the kernel documentation could, however, be encouraging
> > rather than discouraging (as it currently is) about issue reporters
> > themselves contacting linux-distros after a fix is ready.  I wonder if a
> > patch like that would be accepted?
>
> Just as a quick heads up on this, I discussed with Greg there and proposed
> to send a patch proposal to rework that part to take into account your now
> relaxed rules. My goal is to let the reporter decide on their own, and let
> them decide what they want to do after checking the linux-distros rules.
> There could be a good motivation for some reporters to go there because a
> number of them are first-timers who are seeking a Curriculum Vitae Enhancer
> (CVE) ID that s@k.o doesn't deal with. But I also want to remind (I know I
> may sound like a scratched record) that it's not because some may report
> there that distros will magically be aware of all security issues, given
> that those arriving on s@k.o are really a tiny portion and many more bugs
> are fixed without anyone having a security look on them.
>
> I'm just too short of time for now, having to catch up with what I left
> for the 3 days of KR2023, but it's on my todo list to propose a patch to
> Greg. I'm having reasonable hopes that we can end up with something
> smoother in the near future.
>
> Cheers,
> Willy