[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues
Jiri Kosina
jikos at kernel.org
Sun Sep 9 19:41:49 UTC 2018
On Sun, 9 Sep 2018, Linus Torvalds wrote:
> > But remember, this is only needed for the "crazy" issues, like Meltdown.
> > What we put together add-hoc for L1TF worked well, and what we do every
> > week in handling security issues sent to security at k.org works very well
> > also. So well that no one really realizes what we do there :)
>
> Note that at some point, we should just say "f*ck it".
I absolutely agree (even more for stable tree backports).
One thing that is absolutely necessary then though (especially if this is
just about not doing crazy backport to -stable), to make it absolutely
clear to the stable downstreams/consumers, that this is the case.
Rationale: turns out it might be even illegal in some countries to release
software with known security issue for which the fix exists (yeah, well,
whatever that means). So the downstreams really should be made aware, so
that we don't put them into an uncomfortable situation and they could
adapt somehow.
(on a first sight, this might be like buying into what grsecurity folk(s)
have been asking for for ages -- that is annotating ideally each and every
commit with its security implications -- but that's not the case here;
it's quite the opposite: explicitly stating that certain security
fix/backport is *not* happening).
Thanks,
--
Jiri Kosina
SUSE Labs
More information about the Ksummit-discuss
mailing list