From: Dave Hansen <[email protected]>
Both hardware companies and the kernel community prefer coordinated disclosure to the alternatives. It is also obvious that sitting on ready-to-go mitigations for months is not so nice for kernel maintainers. I want to ensure that the patched text can not be read as "the kernel does not wait for conference dates". I'm also fairly sure that, so far, we *have* waited for a number of conference dates. Change the text to make it clear that waiting for conference dates is possible, but keep the grumbling about it being a burden. While I think this is good for everyone, this patch represents my personal opinion and not that of my employer. Cc: Jonathan Corbet <[email protected]> Cc: Greg Kroah-Hartman <[email protected]> Cc: Sasha Levin <[email protected]> Cc: Ben Hutchings <[email protected]> Cc: Thomas Gleixner <[email protected]> Cc: Laura Abbott <[email protected]> Cc: Andrew Cooper <[email protected]> Cc: Trilok Soni <[email protected]> Cc: Kees Cook <[email protected]> Cc: Tony Luck <[email protected]> Cc: [email protected] Cc: [email protected] Acked-by: Dan Williams <[email protected]> Signed-off-by: Dave Hansen <[email protected]> --- b/Documentation/process/embargoed-hardware-issues.rst | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff -puN Documentation/process/embargoed-hardware-issues.rst~hw-sec-1 Documentation/process/embargoed-hardware-issues.rst --- a/Documentation/process/embargoed-hardware-issues.rst~hw-sec-1 2019-09-10 08:39:03.879488129 -0700 +++ b/Documentation/process/embargoed-hardware-issues.rst 2019-09-10 08:39:03.883488129 -0700 @@ -197,10 +197,9 @@ While we understand that hardware securi time, the embargo time should be constrained to the minimum time which is required for all involved parties to develop, test and prepare the mitigations. Extending embargo time artificially to meet conference talk -dates or other non-technical reasons is creating more work and burden for -the involved developers and response teams as the patches need to be kept -up to date in order to follow the ongoing upstream kernel development, -which might create conflicting changes. +dates or other non-technical reasons is possible, but not preferred. These +artificial extensions burden the response team with constant maintenance +updating mitigations to follow upstream kernel development. CVE assignment """""""""""""" _
