Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0-rc7 2026-04-04T08:38:43+00:00 2026-04-04T08:38:43+00:00 Willy Tarreau w@1wt.eu 2026-04-04T08:20:33+00:00 urn:sha1:f387e2e2b9d302688dbdceebe9aade221c90f09e In previous patch "Documentation: clarify the mandatory and desirable info for security reports" I left two typos that I didn't detect in local checks. One is "get_maintainers.pl" (no 's' in the script name), and the other one is a missing closing quote after "Reported-by", which didn't have effect here but I don't know if it can break rendering elsewhere (e.g. on the public HTML page). Better fix it before it gets merged. Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260404082033.5160-1-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-03T11:11:23+00:00 Willy Tarreau w@1wt.eu 2026-04-03T06:20:18+00:00 urn:sha1:496fa1befba1e8ff149af5120cd9c9616bb05120 A significant part of the effort of the security team consists in begging reporters for patch proposals, or asking them to provide them in regular format, and most of the time they're willing to provide this, they just didn't know that it would help. So let's add a section detailing the required and desirable contents in a security report to help reporters write more actionable reports which do not require round trips. Cc: Eric Dumazet <edumazet@google.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260403062018.31080-4-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-03T11:11:23+00:00 Willy Tarreau w@1wt.eu 2026-04-03T06:20:17+00:00 urn:sha1:a72b832a482372001a158c8014d116b053089b5d These days, 80% of the work done by the security team consists in locating the affected subsystem in a report, running get_maintainers on it, forwarding the report to these persons and responding to the reporter with them in Cc. This is a huge and unneeded overhead that we must try to lower for a better overall efficiency. This patch adds a complete section explaining how to figure the list of recipients to send the report to. Cc: Eric Dumazet <edumazet@google.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260403062018.31080-3-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-03T11:11:23+00:00 Willy Tarreau w@1wt.eu 2026-04-03T06:20:16+00:00 urn:sha1:f2b1cbef153636fa498324b47e822e8b4d1774aa This clarifies the fact that the bug reporters must use a valid e-mail address to send their report, and that the security team assists developers working on a fix but doesn't always produce fixes on its own. Cc: Eric Dumazet <edumazet@google.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260403062018.31080-2-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-12-22T22:32:03+00:00 Willy Tarreau w@1wt.eu 2025-11-29T14:17:41+00:00 urn:sha1:ceddb2c001d9f22fd3712dc0425c3a15bc504461 As the trend of AI-generated reports is growing, the trend of unreadable reports in gimmicky formats is following, and we cannot request that developers rely on online viewers to be able to read a security report full for formatting tags. Let's just insist on the plain text requirement a bit more. Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Ingo Molnar <mingo@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> Message-ID: <20251129141741.19046-1-w@1wt.eu> 2025-08-17T10:23:30+00:00 Willy Tarreau w@1wt.eu 2025-08-14T19:27:30+00:00 urn:sha1:3a68841d1d9b6eb32b2652bbb83acd17d5eb9135 The text was presenting the team, the the e-mail address, then some of the expectations, then what form of e-mail is expected. By switching the e-mail paragraph two paragraphs later and dropping the "Contact" sub-section, we can have a more natural flow that presents the team, then its expectation, then how to best contribute, then where to send. And more importantly, it increases the chances that reporters have read the prerequisites before finding the e-mail address. Signed-off-by: Willy Tarreau <w@1wt.eu> Reviewed-by: Kees Cook <kees@kernel.org> Link: https://lore.kernel.org/r/20250814192730.19252-2-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-08-17T10:23:28+00:00 Willy Tarreau w@1wt.eu 2025-08-14T19:27:29+00:00 urn:sha1:d49172bbd7eb07e4ba5e52238eaa9caf692c1cea Some bug reports sent to the security team sometimes lack any explanation, are only AI-generated without verification, or sometimes it can simply be difficult to have a conversation with an invisible reporter belonging to an opaque team. This fortunately remains rare but the trend has been steadily increasing over the last years and it seems important to clarify what developers expect from reporters to avoid frustration on any side and keep the process efficient. Signed-off-by: Willy Tarreau <w@1wt.eu> Reviewed-by: Kees Cook <kees@kernel.org> Link: https://lore.kernel.org/r/20250814192730.19252-1-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-17T13:46:39+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-02-17T12:55:31+00:00 urn:sha1:5928d411557ec5d53832cdd39fc443704a3e5b77 The Linux kernel project now has the ability to assign CVEs to fixed issues, so document the process and how individual developers can get a CVE if one is not automatically assigned for their fixes. Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org> Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org> Reviewed-by: Lukas Bulwahn <lukas.bulwahn@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Lee Jones <lee@kernel.org> Link: https://lore.kernel.org/r/2024021731-essence-sadness-28fd@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-10-24T09:25:01+00:00 Willy Tarreau w@1wt.eu 2023-10-15T13:09:59+00:00 urn:sha1:0217f3944aebad1d4beec5894ec80472b94b4139 The linux-distros list relaxed their rules to try to adapt better to how the Linux kernel works. Let's update the Coordination part to explain why and when to contact them or not to and how to avoid trouble in the future. Link: https://www.openwall.com/lists/oss-security/2023/09/08/4 Cc: Kees Cook <keescook@chromium.org> Cc: Solar Designer <solar@openwall.com> Cc: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://lore.kernel.org/r/20231015130959.26242-1-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-07-17T05:44:10+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-06-30T07:14:21+00:00 urn:sha1:3c1897ae4b6bc7cc586eda2feaa2cd68325ec29c The kernel security team does NOT assign CVEs, so document that properly and provide the "if you want one, ask MITRE for it" response that we give on a weekly basis in the document, so we don't have to constantly say it to everyone who asks. Link: https://lore.kernel.org/r/2023063022-retouch-kerosene-7e4a@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>