1. Patchew
  2. linux
  3. View series

[PATCH] Documentation: insist on the plain-text requirement for security reports

Willy Tarreau posted 1 patch 2 days, 7 hours ago 
Documentation/process/security-bugs.rst | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH] Documentation: insist on the plain-text requirement for security reports
Posted by Willy Tarreau 2 days, 7 hours ago 
As the trend of AI-generated reports is growing, the trend of unreadable
reports in gimmicky formats is following, and we cannot request that
developers rely on online viewers to be able to read a security report
full for formatting tags. Let's just insist on the plain text requirement
a bit more.

Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 Documentation/process/security-bugs.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 84657e7d2e5b..c0cf93e11565 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
 security team will bring in extra help from area maintainers to
 understand and fix the security vulnerability.
 
-Please send plain text emails without attachments where possible.
+Please send **plain text** emails without attachments where possible.
 It is much harder to have a context-quoted discussion about a complex
 issue if all the details are hidden away in attachments.  Think of it like a
 :doc:`regular patch submission <../process/submitting-patches>`
 (even if you don't have a patch yet): describe the problem and impact, list
 reproduction steps, and follow it with a proposed fix, all in plain text.
+Markdown, HTML and RST formatted reports are particularly frowned upon since
+they're quite hard to read for humans and encourage to use dedicated viewers,
+sometimes online, which by definition is not acceptable for a confidential
+security report.
 
 Disclosure and embargoed information
 ------------------------------------
-- 
2.17.5
Re: [PATCH] Documentation: insist on the plain-text requirement for security reports
Posted by Ingo Molnar an hour ago 
* Willy Tarreau <w@1wt.eu> wrote:

> As the trend of AI-generated reports is growing, the trend of unreadable
> reports in gimmicky formats is following, and we cannot request that
> developers rely on online viewers to be able to read a security report
> full for formatting tags. Let's just insist on the plain text requirement
> a bit more.
> 
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>  Documentation/process/security-bugs.rst | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index 84657e7d2e5b..c0cf93e11565 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
>  security team will bring in extra help from area maintainers to
>  understand and fix the security vulnerability.
>  
> -Please send plain text emails without attachments where possible.
> +Please send **plain text** emails without attachments where possible.

So maybe part of the confusion is that this sentence 
can be read permissively, depending how the 'where 
possible' qualifier is interpreted:

    Please send plain text emails without attachments, 
    where possible.

Note how "it's not possible because my report is in 
PDF" seems to allow for that in the permissive reading.

What that sentence should really say is something like:

   Please send plain text emails only. Please do not 
   include any attachments, where possible.

This makes it clear that only plain text emails are 
acceptable.

Ie. something like the patch below?

Thanks,

	Ingo

============================================>
Signed-off-by: Ingo Molnar <mingo@kernel.org>

 Documentation/process/security-bugs.rst | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 84657e7d2e5b..4a76928a700e 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
 security team will bring in extra help from area maintainers to
 understand and fix the security vulnerability.
 
-Please send plain text emails without attachments where possible.
-It is much harder to have a context-quoted discussion about a complex
-issue if all the details are hidden away in attachments.  Think of it like a
-:doc:`regular patch submission <../process/submitting-patches>`
+Please send **plain text** emails only. Please do not include any
+attachments, where possible.  It is much harder to have a context-quoted
+discussion about a complex issue if all the details are hidden away
+in attachments.  Think of it like a :doc:`regular patch submission <../process/submitting-patches>`
 (even if you don't have a patch yet): describe the problem and impact, list
 reproduction steps, and follow it with a proposed fix, all in plain text.
+Markdown, HTML and RST formatted reports are particularly frowned upon since
+they're quite hard to read for humans and encourage to use dedicated viewers,
+sometimes online, which by definition is not acceptable for a confidential
+security report.
 
 Disclosure and embargoed information
 ------------------------------------
Re: [PATCH] Documentation: insist on the plain-text requirement for security reports
Posted by Greg KH 15 hours ago 
On Sat, Nov 29, 2025 at 03:17:41PM +0100, Willy Tarreau wrote:
> As the trend of AI-generated reports is growing, the trend of unreadable
> reports in gimmicky formats is following, and we cannot request that
> developers rely on online viewers to be able to read a security report
> full for formatting tags. Let's just insist on the plain text requirement
> a bit more.
> 
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>  Documentation/process/security-bugs.rst | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

Looks good to me!  Given the number of non-plain-text emails with binary
attachments we still get there, it's obvious not many people seem to
read this file, but it can't hurt!  :)

I'll queue this up if Jon doesn't, after -rc1 is out.  If he wants to
take it, here's my:

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Re: [PATCH] Documentation: insist on the plain-text requirement for security reports
Posted by Willy Tarreau 14 hours ago 
On Mon, Dec 01, 2025 at 07:38:17AM +0100, Greg KH wrote:
> On Sat, Nov 29, 2025 at 03:17:41PM +0100, Willy Tarreau wrote:
> > As the trend of AI-generated reports is growing, the trend of unreadable
> > reports in gimmicky formats is following, and we cannot request that
> > developers rely on online viewers to be able to read a security report
> > full for formatting tags. Let's just insist on the plain text requirement
> > a bit more.
> > 
> > Signed-off-by: Willy Tarreau <w@1wt.eu>
> > ---
> >  Documentation/process/security-bugs.rst | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> Looks good to me!  Given the number of non-plain-text emails with binary
> attachments we still get there, it's obvious not many people seem to
> read this file, but it can't hurt!  :)

At least it gives us a place to point to, saying "look at the rules".

> I'll queue this up if Jon doesn't, after -rc1 is out.  If he wants to
> take it, here's my:
> 
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thanks! Oh BTW I'm noticing a typo in the commit message above
"full for" instead of "full of". Feel free to adjust it while
applying, though it's really not important (and no, I won't
respin a patch just for this :-)).

Willy

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.