logoalt Hacker News

semiquaveryesterday at 6:07 PM5 repliesview on HN

> Note that for Linux kernel vulnerabilities, unless the reporter chooses to bring it to the linux-distros ML, there is no heads-up to distributions.

Why would they imply it is incumbent on the reporter to liaise with distributions? That seems to assume a high level of familiarity with the linux project. Vulnerability reporters shouldn’t be responsible for directly working with every downstream consumer of the linux kernel, what’s the limiting principal there? Should the reporter also be directly talking to all device manufacturers that use Linux on their machines?

IMO reporter did more than enough by responsibly disclosing it to linux and waiting for a patch to land.

Aren’t there people in the linux project itself with authority over and responsibility for security vulnerabilities? One would think they would be the ones notifying downstream distros…

Replies

aduwahyesterday at 7:04 PM

Especially since the reporter is explicitly asked not to notify the distro teams first.

https://docs.kernel.org/process/security-bugs.html

```As such, the kernel security team strongly recommends that as a reporter of a potential security issue you DO NOT contact the “linux-distros” mailing list UNTIL a fix is accepted by the affected code’s maintainers and you have read the distros wiki page above and you fully understand the requirements that contacting “linux-distros” will impose on you and the kernel community. ```

show 2 replies
sega_saiyesterday at 6:14 PM

The reporter took time to check and mention on their website specific distributions Ubuntu/RHEL/SUSE. One would have thought reporting to security teams of at least those would be responsible.

show 1 reply
skywhopperyesterday at 6:13 PM

The reporter made a website explicitly calling out Ubuntu, RedHat, Amazon, and SUSE but didn’t notify them, and you think that’s reasonable? That they might not have known those distributions are downstream from the kernel team?

show 2 replies
sparker72678yesterday at 6:12 PM

Sure, maybe it's not a _requirement_, but now we're all in more pain because the reporters are more interested in Fame than Safe Remediation.

show 1 reply
frohyesterday at 6:57 PM

it's trivial to find out how to report a security issue like this to Linux distros.

Google search: https://share.google/aimode/eihDKXZJy94Z5lC1p

and it's beyond me to not think about doing this and instead exposing everyone and their neighbor to this exploit up front.

I'm certain this is even a felony in some legislations, rightfully so.

show 2 replies