From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from hedgehog.birch.relay.mailchannels.net (hedgehog.birch.relay.mailchannels.net [23.83.209.81]) by sourceware.org (Postfix) with ESMTPS id 25A603858D32 for ; Mon, 11 Sep 2023 09:58:51 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 25A603858D32 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 0D1206C0688; Mon, 11 Sep 2023 09:58:50 +0000 (UTC) Received: from pdx1-sub0-mail-a292.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 9A9976C163C; Mon, 11 Sep 2023 09:58:49 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1694426329; a=rsa-sha256; cv=none; b=UstMoNIgxe3YprZQlM439uQ7NDcv/lfYZPMCkZqlH1U/uJVbxgdg+LGgGPIBAWfVqcmqff J+kVlEgkE11MW+T9Gxolte/XWDRbMaX4/6Hx9XV9J0xRiTAYZOSOAFsIXhPo3uWuuBJ74I SYPbqkl72bysAQOB4+N/+eGE4yivjJc1JNGWUHYKz4L0tJ8yDCTiHDnOw3BBtpTItbi5xw QFWjtdC+MkwAnjQinXgMmekR0Hjkuacu8RtUkyyZONk5mmvHsTXTj9Dty47ZKf9Bn6KoAh XHUOIPSxckJ78WMsWGrqKzMTA0Fr7FxIuxHhv+9aHnW2CrYQY5oh5rqdArFtdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1694426329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=NRVO9jHX+vaX9LJ0uqd2s9TORmvY75coIjho3p+fZKU=; b=Kl0QshTnPZ6DPAX+hu0p5awykmmQYzybQdWfsA0DU4I2QgE9AvQHfSOS+C1QzN3O79m2EH HWW8WG3chffCNww8NxVWk916UftI8h/OwWZi5vuQ2/4a6Z7taAwQ4STCHAutVUg0RIhmMT SKczwg/Jr9IyBsDEaB62AeVXk3QNrmzBwQABSBpwKTY1z7NJsumS5c9RJWaZ8OKDFrdBVv iJI7VtYgTZ/nkNesRnxuo1SiN2K+0+95WYI7gPfEoo6cjezQv6KWh38HZZIQkHhoXkXqyv u/Bq9o9HOTUMo4cdXQQFGPqNj7Qby06BK8v2kHC7QAw3Tte3g184fRX85bs0dQ== ARC-Authentication-Results: i=1; rspamd-7d5dc8fd68-wmqlj; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Thread-Power: 15e11b4f591cf39a_1694426329843_1914585210 X-MC-Loop-Signature: 1694426329843:641011287 X-MC-Ingress-Time: 1694426329843 Received: from pdx1-sub0-mail-a292.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.108.185.185 (trex/6.9.1); Mon, 11 Sep 2023 09:58:49 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a292.dreamhost.com (Postfix) with ESMTPSA id 4Rkhxj19kBz7w; Mon, 11 Sep 2023 02:58:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1694426329; bh=NRVO9jHX+vaX9LJ0uqd2s9TORmvY75coIjho3p+fZKU=; h=Date:To:Cc:From:Subject:Content-Type:Content-Transfer-Encoding; b=QV/Ct9kJ/fYos7zCmEqLLAwX8napaDi2Qn3MTCiUkDr6HIxTSNEghOA1C6g/NWQps 61ibSGPrklFQdjGWotnBWa5kxZNd5grt4Nl/mPrZxvzpBKUQqt80GHxoxcVKoS5ivM 1jzXjsk+pU1Q7yfZyzHTW4rxX2e4feSk1DCvIDRZhAgQeSeOiI7o26IBNbT/FaBRox 4s3JmyjTR+lj/TYl2iVhZnl1Rvu/89aBXbkxw1w5/OxoK7ZKOA248nl3HwRWBnsUQK cfWYhM/ygUcZTgl90WGyH8/VT//PiyP89cbLnQfft56qiIDONTtcXHcJJj78WlVfVU YuW/dYayCsaCQ== Message-ID: <16fdd6ba-aa7a-799f-496d-b0cbe0b67dd6@gotplt.org> Date: Mon, 11 Sep 2023 05:58:47 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: Alexandre Oliva Cc: GNU C Library References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> <8222787b-f534-a827-ebf5-d9100844228d@gotplt.org> <1fd12501-cc77-1943-9fe0-611376c77e09@gotplt.org> <16843bf8-f621-30fb-fbbf-d6b8ce633486@gotplt.org> From: Siddhesh Poyarekar Subject: Re: GNU C Library as its own CNA? In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-09-10 12:57, Alexandre Oliva wrote: > On Sep 8, 2023, Siddhesh Poyarekar wrote: > >> A single non-root CNA for all of the GNU project doesn't make sense to >> me, given that packages have very distinct communities and needs. > > It seem like you're saying that GNU, as a CNA, would be unable to offer > to individual packages whatever it is that Red Hat, as root CNA, would. > Could you please elaborate on that distinction you're making? > Presumably you know more about it than I do, and if you're on to > something, that would suggest that GNU should pursue becoming a root > CNA, so that it can offer its packages the same sort of status you > appear to expect when you state that it would make no sense for them to > be under a non-root CNA. A root CNA may have subordinate CNAs under it that would be responsible for triage and CVE assignment for their project, a subordinate CNA may not. It may be possible to have a single GNU subordinate CNA under Red Hat and then form a GNU security organization that emulates this internally somehow but I don't see the point of doing that because the security needs of individual projects in GNU vary widely and they're best served by their individual communities. If GNU registers as a root CNA with Mitre at some point, like Florian said, the glibc CNA could just move under it. It is pointless to try and complicate the process at this initial stage IMO. Sid