From: Dave Hansen <dave.han...@linux.intel.com>
Transparency is good. It it essential for everyone working under an embargo to know who is involved and who else is a "knower". Being transparent allows everyone to always make informed decisions about ongoing participating in a mitigation effort. Add a step to the subscription process which will notify existing subscribers when a new one is added. While I think this is good for everyone, this patch represents my personal opinion and not that of my employer. Cc: Jonathan Corbet <cor...@lwn.net> Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org> Cc: Sasha Levin <sas...@kernel.org> Cc: Ben Hutchings <b...@decadent.org.uk> Cc: Thomas Gleixner <t...@linutronix.de> Cc: Laura Abbott <labb...@redhat.com> Cc: Andrew Cooper <andrew.coop...@citrix.com> Cc: Trilok Soni <ts...@codeaurora.org> Cc: Kees Cook <keesc...@chromium.org> Cc: Tony Luck <tony.l...@intel.com> Cc: linux-doc@vger.kernel.org Cc: linux-ker...@vger.kernel.org Acked-by: Dan Williams <dan.j.willi...@intel.com> Signed-off-by: Dave Hansen <dave.han...@linux.intel.com> --- b/Documentation/process/embargoed-hardware-issues.rst | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff -puN Documentation/process/embargoed-hardware-issues.rst~hw-sec-2 Documentation/process/embargoed-hardware-issues.rst --- a/Documentation/process/embargoed-hardware-issues.rst~hw-sec-2 2019-09-10 09:58:47.989476197 -0700 +++ b/Documentation/process/embargoed-hardware-issues.rst 2019-09-10 09:58:47.992476197 -0700 @@ -276,10 +276,11 @@ certificate. If a PGP key is used, it mu server and is ideally connected to the Linux kernel's PGP web of trust. See also: https://www.kernel.org/signature.html. -The response team verifies that the subscriber request is valid and adds -the subscriber to the list. After subscription the subscriber will receive -email from the mailing-list which is signed either with the list's PGP key -or the list's S/MIME certificate. The subscriber's email client can extract -the PGP key or the S/MIME certificate from the signature so the subscriber -can send encrypted email to the list. +The response team verifies that the subscriber request is valid, adds the +subscriber to the list, and notifies the existing list subscribers +including the disclosing party. After subscription the subscriber will +receive email from the mailing-list which is signed either with the list's +PGP key or the list's S/MIME certificate. The subscriber's email client can +extract the PGP key or the S/MIME certificate from the signature so the +subscriber can send encrypted email to the list. _
