From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from hamster.birch.relay.mailchannels.net (hamster.birch.relay.mailchannels.net [23.83.209.80]) by sourceware.org (Postfix) with ESMTPS id C45423857C71 for ; Tue, 12 Sep 2023 11:40:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C45423857C71 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 17ED37609BE; Tue, 12 Sep 2023 11:40:11 +0000 (UTC) Received: from pdx1-sub0-mail-a288.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 9ECC5760A92; Tue, 12 Sep 2023 11:40:10 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1694518810; a=rsa-sha256; cv=none; b=lNsWVoBn1NglBWeObpBH7sxDewzx2ke2ZhMFJ01UHMk6MJA+QjB5OB32qFvt2C+XLohfKL JYGI4IRVJj3iu/0qjCcR5wAeNQaT+PI/3lQgN7O30HJIndkPpic7ANuMmIjyov+W1wBH5m Ztvaan5WIsynNNt0lc/bdm/e/IMEUm/qFJta16flJBowN+82okveDVIhc8ATyPEkz7pqq4 PTIM2LO4oJAe/Kwk6ljYl7tcrR1VZQ5VT62k0CMaxmTUmoAhvUTyjBMBrFIgDaUrPbwZ6j HAM+BCUjRnQd981p30TVQVX8hsDZJ0XEG3i9Wt/bpr9tOSK4tFAI7J4LxJDasQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1694518810; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=nqpxAukbkLt+tKK1e6JxC1M6d3tzbQUreYrNUwiT5aQ=; b=0U0YYYvSSSilM/Vqq3Q6TJao4DLt1A93UbH3Q5F2vGyEgL7hXlkWno3rPvlCfbPyD8cfOq Jb6tV85PpCsSKtkfA9jCoC7AXmIPuNsfMt6a3qWA5DdPqIEKAauiv+nJyKuyea3VUIY8Fx n4uuZWziNk4hCO0Q37XA6g6EnuxXxRED0fvVspqlJiem+mNHSMJP9OIVW3EZ/dE3p4eYFl X0sjmHL4p7CedwZpEIyt3x3PqIh6kByRPmFrwzGgxQ0aJO7ivDmwJBTjuCyz4VfQjc0dmZ pIkidtfJ7v3q97fNzsTXsf3ZLMbVjjx8WsTINsFOZc3uQ3XolXqlZg9gw24lxA== ARC-Authentication-Results: i=1; rspamd-7c449d4847-nr7rb; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Vacuous-Whistle: 2397d5ca7e4d8728_1694518810887_2000637382 X-MC-Loop-Signature: 1694518810887:1607161200 X-MC-Ingress-Time: 1694518810887 Received: from pdx1-sub0-mail-a288.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.125.77.17 (trex/6.9.1); Tue, 12 Sep 2023 11:40:10 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a288.dreamhost.com (Postfix) with ESMTPSA id 4RlM876bfGz9B; Tue, 12 Sep 2023 04:40:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1694518808; bh=nqpxAukbkLt+tKK1e6JxC1M6d3tzbQUreYrNUwiT5aQ=; h=Date:To:From:Subject:Content-Type:Content-Transfer-Encoding; b=W64sj6kZ8gSLfZpgv5k0Jp8rOdy+p04WNWqvhHJQGwY0N/bFwt1VMM8FPAhKXuI0S PJjuM9DG+pmKKnOaytleustNx7jiIrg4LkQGYM/inNJcDoYhW2pmEACHEVoLwraZ07 eJKyHELfG875mFjDj7wcsG/DyOAmxmupVzm1kBxsWA6rAiz53kNxjgLDHQTNq1oQy2 8SC/3x+W3LqfpklHwCmJLtFLgeVnNUnEIfWnwIfeRhTf01uFqzlytvXp+pOWZanBOO 0ssFFK016reWyULsUaMJEIE7JnZqGI2E2t8TtQ3gMPlSKqgqvuHsRYj3bPxNKGsIjv DnpzKm5oGE1wg== Message-ID: <02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org> Date: Tue, 12 Sep 2023 07:40:06 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 To: Carlos O'Donell , GNU C Library References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> Content-Language: en-US From: Siddhesh Poyarekar Subject: Re: GNU C Library as its own CNA? In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-09-11 08:47, Carlos O'Donell wrote: > On 7/28/23 11:56, Siddhesh Poyarekar wrote: >> We have, for many years, been using distribution security teams to >> help with CVE triage and assignment. It has worked for the most >> part, but it's not uncommon to have CVEs assigned by organizations >> that don't always have a proper understanding of the security impact >> of bugs in glibc despite us having a clearly documented Security >> Process[1]; a recent example is CVE-2023-0687[2], which we had to >> jump through many hoops just to get it disputed and get the record >> straight on the bug. >> >> If the GNU C Library had it's own CNA, all vulnerabilities reported >> against CVE would have to come to this CNA for triage, thus making >> sure that security issues in glibc get correctly assessed. As root >> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are >> willing to have their own CNA, subject to certain conditions (all >> organizational) being met. Is this something that would interest the >> community? >> >> I am volunteering to take primary responsibility in helping set >> things up, including coordination with the CTI (for whatever >> additional infrastructure this would need), coordination with Red Hat >> and helping build consensus on what the organizational structure >> should look like. > > Please include me in the list of volunteers. > > I think this is a great step forward in reducing downstream CVE work by ensuring > we have a good upstream review process. > >> At the outset, we'll need to have broad agreement on the following: >> >> 1. How should users submit issues? We would need an independent, >> private mailing list, possibly one that can also do PGP for users to >> report security issues. > > Start small. Private mailing list works. I expect we will have to publish and > accept PGP signed email to all volunteers. So we'll need to publish volunteer > keys, and have a process for withdrawing volunteer keys. > >> 2. Identify a group of people who ought to be on that list. A >> starting group could be a cross section of named maintainers from >> various distributions and FSF stewards but we probably need a way to >> make sure that the group is inclusive without being too broad. > > Count me in. > >> 3. A formal representation to the root CNA, i.e. Red Hat. We would >> need a group of volunteers that would be willing to step in as >> signees for this. I'm in, but I can't do it alone and would need >> more volunteers; it could perhaps be the same set of people who would >> be part of the initial security team in (2). > > I'm in. Thanks, anybody else willing to volunteer? Thanks, Sid