From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=qolg=FE=adacore.com=charlet@sourceware.org>
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a])
	by sourceware.org (Postfix) with ESMTPS id 599383858D39
	for <gcc-patches@gcc.gnu.org>; Wed, 20 Sep 2023 07:36:28 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 599383858D39
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=adacore.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=adacore.com
Received: by mail-yb1-xb2a.google.com with SMTP id 3f1490d57ef6-d8020510203so6272562276.2
        for <gcc-patches@gcc.gnu.org>; Wed, 20 Sep 2023 00:36:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=adacore.com; s=google; t=1695195387; x=1695800187; darn=gcc.gnu.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=+AA76ZNLEq31MulhT+urm0B04ZyF+sXW6ny3C2leFec=;
        b=RQIVD7JsFtrOsryiz6XsDDaK3ROyQCtRHCIYZx+8Ry8wgKu9HwXbsv9GjBT7P8t2r/
         Syw8qLwHOZwqLRFwNYRUnyxiDV/8IsHj+59YTuRHzYkU3UJeza1nyRzpxuuJWOuoOtNA
         ridOlhAd50X4xCHP99L/YDWiklAIb3d0GfNy561+fd8DP/6VrWd0QNBoBAkN/gjvQVqw
         yG45/msYH/FGpLCXNZNB7tgEsAkUbez8l/baBTJhbD3rxTrdU1GuMNKBnEx2Yz+QeJMz
         AG7E9fWjgMvFmZAImVdtfGTtDw1a6SHG4rQbZZe+CYWAqWTg6eeRBWWBbkSIn5b9/Tp2
         dR4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695195387; x=1695800187;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+AA76ZNLEq31MulhT+urm0B04ZyF+sXW6ny3C2leFec=;
        b=PiNz7N4Xl724yO5Tsn7Xy+Y8eFuVDMe00zAx95rXzGEHbogNiEC4ooNgBbBLstyIsT
         nAGYL0GVOBXK8i6aeTRBbLZtmrKJ8WjYONNloMzbVoyu6g+AZjsHah3ROh+2jSQCfFfJ
         U/Yr1lO3nNW+q39IUzaE/gS4LyH5kryfeA1ZQvZBVNsby1RZ8+AM5yVGh9sDyyU+cunY
         6PmsnKnuOiGGaVhhZt0/6mfkhUMkn4xAexPYeZcZBAG8M0Q3BCBAmJfyXHVVYAeL9lSS
         HQdmsmEWlIsA5Xtl3hM8nispzw00NBYvioapUuHJ0UJGis65IkyKvhsxNXZY6aBV3eTj
         UpFQ==
X-Gm-Message-State: AOJu0YwMJ8e6ZyuwFDuEpowX1y5dVacltClpMs0F6qkX6fDzXNZuA19f
	t/Yz55MRRrQDJJXgSdd/GVqHDHKvJ7/bbFPDMmtb2A==
X-Google-Smtp-Source: AGHT+IGJyN2j2KXFSJtT+wWrKXUkQ2YWEBENbkD4QO5DzmQgB/EuoXMRqOp5Vlw/PlFRLoKxhjIOLEsCldicpbFeslM=
X-Received: by 2002:a25:b946:0:b0:d7a:feb4:90f0 with SMTP id
 s6-20020a25b946000000b00d7afeb490f0mr1680833ybm.32.1695195387439; Wed, 20 Sep
 2023 00:36:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAGWvny=z1yotE-6geJL1j80qSeZU67h-ZENPowM=BSNm0nHOVA@mail.gmail.com>
In-Reply-To: <CAGWvny=z1yotE-6geJL1j80qSeZU67h-ZENPowM=BSNm0nHOVA@mail.gmail.com>
From: Arnaud Charlet <charlet@adacore.com>
Date: Wed, 20 Sep 2023 09:36:16 +0200
Message-ID: <CAA1E=ymSR+fadhj5KYGTPY2KhGPdMtj_Uy0Zq96JF4XAHSeDDQ@mail.gmail.com>
Subject: Re: [RFC] GCC Security policy
To: David Edelsohn <dje.gcc@gmail.com>
Cc: GCC Patches <gcc-patches@gcc.gnu.org>, Siddhesh Poyarekar <siddhesh@gotplt.org>, 
	"Carlos O'Donell" <carlos@redhat.com>, Frederic Leger <leger@adacore.com>, 
	Arnaud Charlet <charlet@adacore.com>
Content-Type: multipart/alternative; boundary="000000000000e4c38e0605c56ec0"
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,KAM_SHORT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

--000000000000e4c38e0605c56ec0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

This is a great initiative I think.

See reference to AdaCore's security email below (among Debian, Red Hat,
SUSE)

On Mon, Aug 7, 2023 at 7:30=E2=80=AFPM David Edelsohn via Gcc-patches <
gcc-patches@gcc.gnu.org> wrote:

> FOSS Best Practices recommends that projects have an official Security
> policy stated in a SECURITY.md or SECURITY.txt file at the root of the
> repository.  GLIBC and Binutils have added such documents.
>
> Appended is a prototype for a Security policy file for GCC based on the
> Binutils document because GCC seems to have more affinity with Binutils as
> a tool. Do the runtime libraries distributed with GCC, especially libgcc,
> require additional security policies?
>
> [ ] Is it appropriate to use the Binutils SECURITY.txt as the starting
> point or should GCC use GLIBC SECURITY.md as the starting point for the G=
CC
> Security policy?
>
> [ ] Does GCC, or some components of GCC, require additional care because =
of
> runtime libraries like libgcc and libstdc++, and because of gcov and
> profile-directed feedback?
>
> Thoughts?
>
> Thanks, David
>
> GCC Security Process
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> What is a GCC security bug?
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
>
>     A security bug is one that threatens the security of a system or
>     network, or might compromise the security of data stored on it.
>     In the context of GCC there are two ways in which such
>     bugs might occur.  In the first, the programs themselves might be
>     tricked into a direct compromise of security.  In the second, the
>     tools might introduce a vulnerability in the generated output that
>     was not already present in the files used as input.
>
>     Other than that, all other bugs will be treated as non-security
>     issues.  This does not mean that they will be ignored, just that
>     they will not be given the priority that is given to security bugs.
>
>     This stance applies to the creation tools in the GCC (e.g.,
>     gcc, g++, gfortran, gccgo, gccrs, gnat, cpp, gcov, etc.) and the
>     libraries that they use.
>
> Notes:
> =3D=3D=3D=3D=3D=3D
>
>     None of the programs in GCC need elevated privileges to operate and
>     it is recommended that users do not use them from accounts where such
>     privileges are automatically available.
>
> Reporting private security bugs
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
>    *All bugs reported in the GCC Bugzilla are public.*
>
>    In order to report a private security bug that is not immediately
>    public, please contact one of the downstream distributions with
>    security teams.  The following teams have volunteered to handle
>    such bugs:
>
>       Debian:  security@debian.org
>       Red Hat: secalert@redhat.com
>       SUSE:    security@suse.de


Can you also please add:

AdaCore:  product-security@adacore.com


>
>    Please report the bug to just one of these teams.  It will be shared
>    with other teams as necessary.
>
>    The team contacted will take care of details such as vulnerability
>    rating and CVE assignment (http://cve.mitre.org/about/).  It is likely
>    that the team will ask to file a public bug because the issue is
>    sufficiently minor and does not warrant an embargo.  An embargo is not
>    a requirement for being credited with the discovery of a security
>    vulnerability.
>
> Reporting public security bugs
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
>
>    It is expected that critical security bugs will be rare, and that most
>    security bugs can be reported in GCC, thus making
>    them public immediately.  The system can be found here:
>
>       https://gcc.gnu.org/bugzilla/
>

--000000000000e4c38e0605c56ec0--