GNU C Library as its own CNA? - Siddhesh Poyarekar

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: GNU C Library <libc-alpha@sourceware.org>
Subject: GNU C Library as its own CNA?
Date: Fri, 28 Jul 2023 11:56:43 -0400	[thread overview]
Message-ID: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> (raw)

Hello folks,

We have, for many years, been using distribution security teams to help 
with CVE triage and assignment.  It has worked for the most part, but 
it's not uncommon to have CVEs assigned by organizations that don't 
always have a proper understanding of the security impact of bugs in 
glibc despite us having a clearly documented Security Process[1]; a 
recent example is CVE-2023-0687[2], which we had to jump through many 
hoops just to get it disputed and get the record straight on the bug.

If the GNU C Library had it's own CNA, all vulnerabilities reported 
against CVE would have to come to this CNA for triage, thus making sure 
that security issues in glibc get correctly assessed.  As root CNA, Red 
Hat is open to sponsoring FOSS organizations[3] that are willing to have 
their own CNA, subject to certain conditions (all organizational) being 
met.  Is this something that would interest the community?

I am volunteering to take primary responsibility in helping set things 
up, including coordination with the CTI (for whatever additional 
infrastructure this would need), coordination with Red Hat and helping 
build consensus on what the organizational structure should look like.

At the outset, we'll need to have broad agreement on the following:

1. How should users submit issues?  We would need an independent, 
private mailing list, possibly one that can also do PGP for users to 
report security issues.

2. Identify a group of people who ought to be on that list.  A starting 
group could be a cross section of named maintainers from various 
distributions and FSF stewards but we probably need a way to make sure 
that the group is inclusive without being too broad.

3. A formal representation to the root CNA, i.e. Red Hat.  We would need 
a group of volunteers that would be willing to step in as signees for 
this.  I'm in, but I can't do it alone and would need more volunteers; 
it could perhaps be the same set of people who would be part of the 
initial security team in (2).

Thanks,
Sid

[1] https://sourceware.org/glibc/wiki/Security%20Process
[2] https://vuldb.com/?id.220246
[3] https://access.redhat.com/articles/red_hat_cve_program

next             reply	other threads:[~2023-07-28 15:56 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-28 15:56 Siddhesh Poyarekar [this message]
2023-07-28 16:09 ` Florian Weimer
2023-07-28 16:11   ` Siddhesh Poyarekar
2023-07-28 16:41 ` Joseph Myers
2023-07-28 17:28   ` Paul Eggert
2023-09-06 11:41     ` Siddhesh Poyarekar
2023-09-06 12:33     ` Florian Weimer
2023-09-06 16:00       ` Paul Eggert
2023-09-06 16:33         ` Florian Weimer
2023-09-06 17:04           ` Paul Eggert
2023-07-31 17:42   ` Siddhesh Poyarekar
2023-09-06 11:40 ` Siddhesh Poyarekar
2023-09-06 18:35   ` Alexandre Oliva
2023-09-06 18:57     ` Siddhesh Poyarekar
2023-09-06 19:02       ` Paul Eggert
2023-09-06 22:01       ` Alexandre Oliva
2023-09-07  0:56         ` Siddhesh Poyarekar
2023-09-07  3:27           ` Alexandre Oliva
2023-09-07 10:48             ` Siddhesh Poyarekar
2023-09-07 15:46               ` Florian Weimer
2023-09-07 17:14               ` Alexandre Oliva
2023-09-08 10:58                 ` Siddhesh Poyarekar
2023-09-10 16:57                   ` Alexandre Oliva
2023-09-11  7:46                     ` Florian Weimer
2023-09-11 12:59                       ` Carlos O'Donell
2023-09-11  9:58                     ` Siddhesh Poyarekar
2023-09-11 12:47 ` Carlos O'Donell
2023-09-12 11:40   ` Siddhesh Poyarekar
2023-09-12 13:15     ` Adhemerval Zanella Netto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org \
    --to=siddhesh@gotplt.org \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).