From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: Carlos O'Donell <carlos@redhat.com>,
GNU C Library <libc-alpha@sourceware.org>
Subject: Re: GNU C Library as its own CNA?
Date: Tue, 12 Sep 2023 07:40:06 -0400 [thread overview]
Message-ID: <02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org> (raw)
In-Reply-To: <f93f560d-a45f-eab1-ac27-2cc3e3ba7a78@redhat.com>
On 2023-09-11 08:47, Carlos O'Donell wrote:
> On 7/28/23 11:56, Siddhesh Poyarekar wrote:
>> We have, for many years, been using distribution security teams to
>> help with CVE triage and assignment. It has worked for the most
>> part, but it's not uncommon to have CVEs assigned by organizations
>> that don't always have a proper understanding of the security impact
>> of bugs in glibc despite us having a clearly documented Security
>> Process[1]; a recent example is CVE-2023-0687[2], which we had to
>> jump through many hoops just to get it disputed and get the record
>> straight on the bug.
>>
>> If the GNU C Library had it's own CNA, all vulnerabilities reported
>> against CVE would have to come to this CNA for triage, thus making
>> sure that security issues in glibc get correctly assessed. As root
>> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are
>> willing to have their own CNA, subject to certain conditions (all
>> organizational) being met. Is this something that would interest the
>> community?
>>
>> I am volunteering to take primary responsibility in helping set
>> things up, including coordination with the CTI (for whatever
>> additional infrastructure this would need), coordination with Red Hat
>> and helping build consensus on what the organizational structure
>> should look like.
>
> Please include me in the list of volunteers.
>
> I think this is a great step forward in reducing downstream CVE work by ensuring
> we have a good upstream review process.
>
>> At the outset, we'll need to have broad agreement on the following:
>>
>> 1. How should users submit issues? We would need an independent,
>> private mailing list, possibly one that can also do PGP for users to
>> report security issues.
>
> Start small. Private mailing list works. I expect we will have to publish and
> accept PGP signed email to all volunteers. So we'll need to publish volunteer
> keys, and have a process for withdrawing volunteer keys.
>
>> 2. Identify a group of people who ought to be on that list. A
>> starting group could be a cross section of named maintainers from
>> various distributions and FSF stewards but we probably need a way to
>> make sure that the group is inclusive without being too broad.
>
> Count me in.
>
>> 3. A formal representation to the root CNA, i.e. Red Hat. We would
>> need a group of volunteers that would be willing to step in as
>> signees for this. I'm in, but I can't do it alone and would need
>> more volunteers; it could perhaps be the same set of people who would
>> be part of the initial security team in (2).
>
> I'm in.
Thanks, anybody else willing to volunteer?
Thanks,
Sid
next prev parent reply other threads:[~2023-09-12 11:40 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 15:56 Siddhesh Poyarekar
2023-07-28 16:09 ` Florian Weimer
2023-07-28 16:11 ` Siddhesh Poyarekar
2023-07-28 16:41 ` Joseph Myers
2023-07-28 17:28 ` Paul Eggert
2023-09-06 11:41 ` Siddhesh Poyarekar
2023-09-06 12:33 ` Florian Weimer
2023-09-06 16:00 ` Paul Eggert
2023-09-06 16:33 ` Florian Weimer
2023-09-06 17:04 ` Paul Eggert
2023-07-31 17:42 ` Siddhesh Poyarekar
2023-09-06 11:40 ` Siddhesh Poyarekar
2023-09-06 18:35 ` Alexandre Oliva
2023-09-06 18:57 ` Siddhesh Poyarekar
2023-09-06 19:02 ` Paul Eggert
2023-09-06 22:01 ` Alexandre Oliva
2023-09-07 0:56 ` Siddhesh Poyarekar
2023-09-07 3:27 ` Alexandre Oliva
2023-09-07 10:48 ` Siddhesh Poyarekar
2023-09-07 15:46 ` Florian Weimer
2023-09-07 17:14 ` Alexandre Oliva
2023-09-08 10:58 ` Siddhesh Poyarekar
2023-09-10 16:57 ` Alexandre Oliva
2023-09-11 7:46 ` Florian Weimer
2023-09-11 12:59 ` Carlos O'Donell
2023-09-11 9:58 ` Siddhesh Poyarekar
2023-09-11 12:47 ` Carlos O'Donell
2023-09-12 11:40 ` Siddhesh Poyarekar [this message]
2023-09-12 13:15 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=carlos@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).