From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: GNU C Library <libc-alpha@sourceware.org>
Subject: GNU C Library as its own CNA?
Date: Fri, 28 Jul 2023 11:56:43 -0400 [thread overview]
Message-ID: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> (raw)
Hello folks,
We have, for many years, been using distribution security teams to help
with CVE triage and assignment. It has worked for the most part, but
it's not uncommon to have CVEs assigned by organizations that don't
always have a proper understanding of the security impact of bugs in
glibc despite us having a clearly documented Security Process[1]; a
recent example is CVE-2023-0687[2], which we had to jump through many
hoops just to get it disputed and get the record straight on the bug.
If the GNU C Library had it's own CNA, all vulnerabilities reported
against CVE would have to come to this CNA for triage, thus making sure
that security issues in glibc get correctly assessed. As root CNA, Red
Hat is open to sponsoring FOSS organizations[3] that are willing to have
their own CNA, subject to certain conditions (all organizational) being
met. Is this something that would interest the community?
I am volunteering to take primary responsibility in helping set things
up, including coordination with the CTI (for whatever additional
infrastructure this would need), coordination with Red Hat and helping
build consensus on what the organizational structure should look like.
At the outset, we'll need to have broad agreement on the following:
1. How should users submit issues? We would need an independent,
private mailing list, possibly one that can also do PGP for users to
report security issues.
2. Identify a group of people who ought to be on that list. A starting
group could be a cross section of named maintainers from various
distributions and FSF stewards but we probably need a way to make sure
that the group is inclusive without being too broad.
3. A formal representation to the root CNA, i.e. Red Hat. We would need
a group of volunteers that would be willing to step in as signees for
this. I'm in, but I can't do it alone and would need more volunteers;
it could perhaps be the same set of people who would be part of the
initial security team in (2).
Thanks,
Sid
[1] https://sourceware.org/glibc/wiki/Security%20Process
[2] https://vuldb.com/?id.220246
[3] https://access.redhat.com/articles/red_hat_cve_program
next reply other threads:[~2023-07-28 15:56 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 15:56 Siddhesh Poyarekar [this message]
2023-07-28 16:09 ` Florian Weimer
2023-07-28 16:11 ` Siddhesh Poyarekar
2023-07-28 16:41 ` Joseph Myers
2023-07-28 17:28 ` Paul Eggert
2023-09-06 11:41 ` Siddhesh Poyarekar
2023-09-06 12:33 ` Florian Weimer
2023-09-06 16:00 ` Paul Eggert
2023-09-06 16:33 ` Florian Weimer
2023-09-06 17:04 ` Paul Eggert
2023-07-31 17:42 ` Siddhesh Poyarekar
2023-09-06 11:40 ` Siddhesh Poyarekar
2023-09-06 18:35 ` Alexandre Oliva
2023-09-06 18:57 ` Siddhesh Poyarekar
2023-09-06 19:02 ` Paul Eggert
2023-09-06 22:01 ` Alexandre Oliva
2023-09-07 0:56 ` Siddhesh Poyarekar
2023-09-07 3:27 ` Alexandre Oliva
2023-09-07 10:48 ` Siddhesh Poyarekar
2023-09-07 15:46 ` Florian Weimer
2023-09-07 17:14 ` Alexandre Oliva
2023-09-08 10:58 ` Siddhesh Poyarekar
2023-09-10 16:57 ` Alexandre Oliva
2023-09-11 7:46 ` Florian Weimer
2023-09-11 12:59 ` Carlos O'Donell
2023-09-11 9:58 ` Siddhesh Poyarekar
2023-09-11 12:47 ` Carlos O'Donell
2023-09-12 11:40 ` Siddhesh Poyarekar
2023-09-12 13:15 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).