[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

Thomas Gleixner tglx at linutronix.de
Tue Sep 11 09:03:25 UTC 2018


On Tue, 11 Sep 2018, Jiri Kosina wrote:
> On Mon, 10 Sep 2018, Thomas Gleixner wrote:
> 
> > Looking at SSBD/L1TF only and ignoring the Meltdown/Spectre disaster (which
> > was completely FUBARed by Intel), having something like this in place could
> > have certainly solved the main gap which we had. We were able to
> > communicate freely between the informed parties and their allowed to know
> > kernel developers, even accross vendors. 
> 
> Agreed, this worked pretty well this time.
> 
> > But there was no simple way to bring in anybody else. It tooks us almost 
> > 2 months to get GregKH on board, but there was no way to talk to e.g. 
> > the BPF folks in time.
> 
> But this was what has caused real pain indeed. Do we know / can it be 
> publicly said what exactly was the issue in those cases? Was it perhaps 
> that those people were not employed by a company the disclosing party had 
> a NDA in place already (like it probably had with all the involved 
> vendors, etc)?

Greg is not employed by one of the companies to which the issue was
disclosed and had no NDA in place. AFAIK he's not doing the NDA mess
either, so it took time to sort it out.

For others, who were not employed by one of the involved parties and were
not covered by some magic NDA construct, we just gave up because at the
point we realized that we need their expertise it was way too late to wait
a couple of month/weeks to get that sorted.

That's where I see the embargo coordination to have it's place. If the
people working on the embargoed issue need the expertise of somebody who is
not covered in one way or the other, then the embargo team can disclose it
due to technical necessarity and based on trust.

And I can see that working, because if someone gets pulled in and spills
the beans then he has not only violated the trust put into him for this
particular embargo issue, he also killed his reputation and trust
relationships in the community as a whole.

I doubt that any coordinator in a company - despite the whole NDA/work
contract/whatever stuff in place - will disclose a sensitive embargo issue
to an engineer whom he doesn't trust fully.

Thanks,

	tglx




More information about the Ksummit-discuss mailing list