Re: GNU C Library as its own CNA?

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: Carlos O'Donell <carlos@redhat.com>,
	GNU C Library <libc-alpha@sourceware.org>
Subject: Re: GNU C Library as its own CNA?
Date: Tue, 12 Sep 2023 07:40:06 -0400	[thread overview]
Message-ID: <02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org> (raw)
In-Reply-To: <f93f560d-a45f-eab1-ac27-2cc3e3ba7a78@redhat.com>

On 2023-09-11 08:47, Carlos O'Donell wrote:
> On 7/28/23 11:56, Siddhesh Poyarekar wrote:
>> We have, for many years, been using distribution security teams to
>> help with CVE triage and assignment.  It has worked for the most
>> part, but it's not uncommon to have CVEs assigned by organizations
>> that don't always have a proper understanding of the security impact
>> of bugs in glibc despite us having a clearly documented Security
>> Process[1]; a recent example is CVE-2023-0687[2], which we had to
>> jump through many hoops just to get it disputed and get the record
>> straight on the bug.
>>
>> If the GNU C Library had it's own CNA, all vulnerabilities reported
>> against CVE would have to come to this CNA for triage, thus making
>> sure that security issues in glibc get correctly assessed.  As root
>> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are
>> willing to have their own CNA, subject to certain conditions (all
>> organizational) being met.  Is this something that would interest the
>> community?
>>
>> I am volunteering to take primary responsibility in helping set
>> things up, including coordination with the CTI (for whatever
>> additional infrastructure this would need), coordination with Red Hat
>> and helping build consensus on what the organizational structure
>> should look like.
> 
> Please include me in the list of volunteers.
> 
> I think this is a great step forward in reducing downstream CVE work by ensuring
> we have a good upstream review process.
>   
>> At the outset, we'll need to have broad agreement on the following:
>>
>> 1. How should users submit issues?  We would need an independent,
>> private mailing list, possibly one that can also do PGP for users to
>> report security issues.
> 
> Start small. Private mailing list works. I expect we will have to publish and
> accept PGP signed email to all volunteers. So we'll need to publish volunteer
> keys, and have a process for withdrawing volunteer keys.
>   
>> 2. Identify a group of people who ought to be on that list.  A
>> starting group could be a cross section of named maintainers from
>> various distributions and FSF stewards but we probably need a way to
>> make sure that the group is inclusive without being too broad.
> 
> Count me in.
> 
>> 3. A formal representation to the root CNA, i.e. Red Hat.  We would
>> need a group of volunteers that would be willing to step in as
>> signees for this.  I'm in, but I can't do it alone and would need
>> more volunteers; it could perhaps be the same set of people who would
>> be part of the initial security team in (2).
> 
> I'm in.

Thanks, anybody else willing to volunteer?

Thanks,
Sid

next prev parent reply	other threads:[~2023-09-12 11:40 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-28 15:56 Siddhesh Poyarekar
2023-07-28 16:09 ` Florian Weimer
2023-07-28 16:11   ` Siddhesh Poyarekar
2023-07-28 16:41 ` Joseph Myers
2023-07-28 17:28   ` Paul Eggert
2023-09-06 11:41     ` Siddhesh Poyarekar
2023-09-06 12:33     ` Florian Weimer
2023-09-06 16:00       ` Paul Eggert
2023-09-06 16:33         ` Florian Weimer
2023-09-06 17:04           ` Paul Eggert
2023-07-31 17:42   ` Siddhesh Poyarekar
2023-09-06 11:40 ` Siddhesh Poyarekar
2023-09-06 18:35   ` Alexandre Oliva
2023-09-06 18:57     ` Siddhesh Poyarekar
2023-09-06 19:02       ` Paul Eggert
2023-09-06 22:01       ` Alexandre Oliva
2023-09-07  0:56         ` Siddhesh Poyarekar
2023-09-07  3:27           ` Alexandre Oliva
2023-09-07 10:48             ` Siddhesh Poyarekar
2023-09-07 15:46               ` Florian Weimer
2023-09-07 17:14               ` Alexandre Oliva
2023-09-08 10:58                 ` Siddhesh Poyarekar
2023-09-10 16:57                   ` Alexandre Oliva
2023-09-11  7:46                     ` Florian Weimer
2023-09-11 12:59                       ` Carlos O'Donell
2023-09-11  9:58                     ` Siddhesh Poyarekar
2023-09-11 12:47 ` Carlos O'Donell
2023-09-12 11:40   ` Siddhesh Poyarekar [this message]
2023-09-12 13:15     ` Adhemerval Zanella Netto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org \
    --to=siddhesh@gotplt.org \
    --cc=carlos@redhat.com \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).