Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: linux-distros membership application - Microsoft
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Sasha Levin <sashal () kernel org>
Date: Sat, 6 Jul 2019 18:29:36 -0400
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Sat, Jul 06, 2019 at 09:37:37PM +0200, Solar Designer wrote:
Hi all,
Per our current policy and precedents, I see no valid reasons not to
subscribe Microsoft (or part(s) of it, see below) to linux-distros. So
I intend to figure out some detail and proceed with the subscription.
Thank you.
[snip]
On Fri, Jun 28, 2019 at 01:08:12PM -0400, Sasha Levin wrote:
Can I suggest that we fork the discussion around security-bugs.rst to
LKML? I can suggest an initial patch to address your comments here but I
think that this is better handled on LKML.
Yes, please.
Sure, give me a day or two to get it out. I'll cross-post
LKML/ksummit-discuss/oss-security as I think it's one of those times it
actually makes sense.
Microsoft's history with Linux is a rather recent one. I can offer the
following examples if you're willing to give us a few months off of the
"1 year" requirement:
CVE-2018-1002105:
https://azure.microsoft.com/en-us/updates/aks-clusters-patched-for-kubernetes-vulnerability/
CVE-2018-5391, CVE-2018-5390:
https://azure.microsoft.com/en-us/blog/security-bulletin-for-august-2018/
CVE-2019-5736:
https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/
CVE-2019-11477, CVE-2019-11478, CVE-2019-11479:
https://azure.microsoft.com/en-us/updates/security-advisory-on-linux-kernel-tcp-vulnerabilities-for-hdinsight-clusters/
The oldest of these is August 8, 2018, which is just 1 month short of
the 1 year term. I suppose we could either give Microsoft this 1 month
off as you suggest based on Microsoft's track record of promptly dealing
with security issues in non-Linux products, or subscribe Microsoft to
linux-distros in August 2019 (or later).
Whatever list admins/members are comfortable with.
More importantly, maybe we shouldn't list "Microsoft" as a member of
linux-distros. Microsoft is so much more than the recent Linux-based
products and services. We similarly list "Amazon Linux AMI" rather than
"Amazon", and "Chrome OS" rather than "Google" (and we had separately
listed "Android", which has since unsubscribed), and "Ubuntu" rather
than "Canonical". OTOH, we were not as careful to list proper products,
etc. for some others such as "Oracle".
If we list "Microsoft", this might be especially confusing since issues
being reported might also be relevant to Windows. The reporters need to
know they're not reaching Windows security team unless they specifically
authorize that.
Any suggestions on the above?
Yes, this is tricky. Maybe "Microsoft Linux Systems Group"? Thats our
group name within Microsoft. I guess that we can also add a short wiki
page with references to the products/distros we support as well as a
clarification that this has nothing to do with Windows and list MSRC's
contact information.
Regardless, the list policy only allows use of the information for
"getting the issue fixed for your distro's users and, only in rare
extreme cases, for deployment of maximally non-revealing changes to
maintain security of your distro's infrastructure most essential to the
distro users' security in face of the security issue being dealt with.
The need-to-know condition is met only if the person needs to
participate in one of these two activities." This is meant to preclude
sharing within the organization beyond its parts responsible for the
"distro" the organization is subscribed for.
As I've indicated before, we intend to follow the list's policies.
Information obtained from the list will be used only for the purposes
listed in our original application, and any additional future use will
go through the list for approvals first.
--
Thanks,
Sasha
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Re: linux-distros membership application - Microsoft Michael Ellerman (Jul 02)
<Possible follow-ups>
Re: linux-distros membership application - Microsoft Georgi Guninski (Jul 06)
Re: linux-distros membership application - Microsoft Solar Designer (Jul 06)
Re: linux-distros membership application - Microsoft Solar Designer (Jul 06)
Re: linux-distros membership application - Microsoft Sasha Levin (Jul 06)
Re: linux-distros membership application - Microsoft Moritz Muehlenhoff (Jul 07)
Re: linux-distros membership application - Microsoft Sasha Levin (Jul 12)
Re: linux-distros membership application - Microsoft Solar Designer (Jul 08)
Re: linux-distros membership application - Microsoft Georgi Guninski (Jul 07)
Re: linux-distros membership application - Microsoft Solar Designer (Jul 07)
Re: linux-distros membership application - Microsoft David A. Wheeler (Jul 08)
Re: linux-distros membership application - Microsoft Stuart D. Gathman (Jul 08)
Re: linux-distros membership application - Microsoft Kristian Fiskerstrand (Jul 11)
Re: linux-distros membership application - Microsoft Sasha Levin (Aug 11)
Re: linux-distros membership application - Microsoft Solar Designer (Aug 12)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->