[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

Greg KH greg at kroah.com
Sun Sep 9 12:51:30 UTC 2018


On Sat, Sep 08, 2018 at 08:54:26AM -0700, James Bottomley wrote:
> On Sat, 2018-09-08 at 17:32 +0200, Greg KH wrote:
> > On Sat, Sep 08, 2018 at 08:00:29AM -0700, James Bottomley wrote:
> > > On Sat, 2018-09-08 at 13:34 +0200, Greg KH wrote:
> > > > On Sat, Sep 08, 2018 at 08:21:41AM -0300, Mauro Carvalho Chehab
> > > > wrote:
> > > > > IMHO, the best would be to have a formal/legal way to handle
> > > > > it.
> > > > 
> > > > No, sorry, some of us are not allowed legally to sign NDAs for
> > > > stuff like this.
> > > 
> > > As a blanket statement this simply isn't true.
> > 
> > Um, I said "some of us".  Some of us can, some of us can not.  That's
> > a blanket statement that has to be true :)
> 
> OK, let me make it more specific: there exists no individual
> contributing to open source in a leadership capacity for whom a
> signable NDA cannot be crafted.

"can be crafted eventually" :)

There are language issues, corporate issues, and lots and lots of other
issues involved here, you know this.  Look at Mauro's situation for one
example.

Anyway, if the main goal here is to somehow have the LF provide some
sort of situation where we can invoke the old "3-way" NDA process to
handle security issues, then fine, let's propose that and see if the LF
wishes to do this.

But remember, this is only needed for the "crazy" issues, like Meltdown.
What we put together add-hoc for L1TF worked well, and what we do every
week in handling security issues sent to security at k.org works very well
also.  So well that no one really realizes what we do there :)

So again, if this is something that people strongly feel the LF should
handle, let the TAB know and they will be glad to work on it.

thanks,

greg k-h


More information about the Ksummit-discuss mailing list