From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from caracal.birch.relay.mailchannels.net (caracal.birch.relay.mailchannels.net [23.83.209.30]) by sourceware.org (Postfix) with ESMTPS id 5F6373858CDA for ; Fri, 28 Jul 2023 15:56:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5F6373858CDA Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 0FE0A900BA9 for ; Fri, 28 Jul 2023 15:56:46 +0000 (UTC) Received: from pdx1-sub0-mail-a269.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 91E8A900CA9 for ; Fri, 28 Jul 2023 15:56:45 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1690559805; a=rsa-sha256; cv=none; b=5leL1HVaugyv4Ek4CSeomy7YyrJvGnom7OhOXTzQNj9EUkiWhLN3hqf4kaexJrutJ1PdkR OhW3WoenA1nm6nI2N//3sIvfHl/xU83wjMMpmJ4PAq1mKSpSVmIe94cP6q0qzhge+6Qx7w 8UFCXpJN6m1ggB5xveNYpLDEciJU93NOE8h6hfLeCc2NROF73fQ4GaFAi0ZBtaVsXwhDA1 3r7N93+sCoJBSmuXvfCc87r/1Jx7GmuvqZ+TWmmXeTk/TecT1Q4Zl3eq9r+KhzjRyFyDwx IBqYI1+0svxdkxK8+47ffiawXl0YIOn4PCgks64PLHfmE+gD/M4CLI1UOT56qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1690559805; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=wFe+ntilV+vi9pzbECfohTVheC2qX2DPLaSv91vMkfs=; b=v7ACDJJJACI494+1HsdE5m/RbOzk6j1kiP724zTGH+pT29ePwVU2JKrHYWv40SDgAHCdtd uQCpQdh072AuS+Y8eWUQ6pZM8x9FIbZSee/GSH05OgUnm2HFzM64mmUQo60Zgd8PGCjSJS y+b3aMUmT7ZqM/Gw4pWLY2MJAQ9ZX6tMzGJSABWAklOKJDEUNLW1myMJpUhEl2fFCG1yP8 HSMsvfoHOSqYYgjpIxolSGN2uDLKmdK3/2OspYv6h0snjRXe8ruQnmNgCsGKdU9u+NCxlS Xj11jrM9mUfaKmO11D8t+Fp0UD8u28blbLWRndWycajOje0t7QdyauBN4vu+DQ== ARC-Authentication-Results: i=1; rspamd-d58c88954-2bmcp; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Daffy-Attack: 53c65c832aef4db9_1690559805802_623963950 X-MC-Loop-Signature: 1690559805802:2600382945 X-MC-Ingress-Time: 1690559805802 Received: from pdx1-sub0-mail-a269.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.106.0.198 (trex/6.9.1); Fri, 28 Jul 2023 15:56:45 +0000 Received: from [192.168.6.119] (unknown [24.114.79.226]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a269.dreamhost.com (Postfix) with ESMTPSA id 4RCC1T1263z2P for ; Fri, 28 Jul 2023 08:56:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1690559805; bh=wFe+ntilV+vi9pzbECfohTVheC2qX2DPLaSv91vMkfs=; h=Date:From:Subject:To:Content-Type:Content-Transfer-Encoding; b=aBa3ZClRHP+G7eZmxzyKHP361N4wDcbDMY78yDxr2tF7SnXtg3kdsKQPhrVP50NN9 2jVh1mgbY7bgvAoW61TWyvW9Qa7OjwmcQHrbPjeOTc3wWCpSyBipj0co80pPiWMSe3 16JhXP5Ktxsp3tQgPuX2JW+T7QObK3kg/HyWjmE7OsoSso45/fbT8Q3vc18nudcF2a RHaSiUKDSlLhW/xU+zlfDzGLFs8qHb7WWml0fvDUXf8xw4XXpeOu3p+tNUI62/5rIf Bo0bIavcf9uNvzu1/06EKsoAwWx8UAut5Pdef5q83wIRAZ1EbU4s152G1+gvXSC7YH CRWI/4Tpz4tSg== Message-ID: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> Date: Fri, 28 Jul 2023 11:56:43 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 From: Siddhesh Poyarekar Subject: GNU C Library as its own CNA? Content-Language: en-US To: GNU C Library Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3029.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hello folks, We have, for many years, been using distribution security teams to help with CVE triage and assignment. It has worked for the most part, but it's not uncommon to have CVEs assigned by organizations that don't always have a proper understanding of the security impact of bugs in glibc despite us having a clearly documented Security Process[1]; a recent example is CVE-2023-0687[2], which we had to jump through many hoops just to get it disputed and get the record straight on the bug. If the GNU C Library had it's own CNA, all vulnerabilities reported against CVE would have to come to this CNA for triage, thus making sure that security issues in glibc get correctly assessed. As root CNA, Red Hat is open to sponsoring FOSS organizations[3] that are willing to have their own CNA, subject to certain conditions (all organizational) being met. Is this something that would interest the community? I am volunteering to take primary responsibility in helping set things up, including coordination with the CTI (for whatever additional infrastructure this would need), coordination with Red Hat and helping build consensus on what the organizational structure should look like. At the outset, we'll need to have broad agreement on the following: 1. How should users submit issues? We would need an independent, private mailing list, possibly one that can also do PGP for users to report security issues. 2. Identify a group of people who ought to be on that list. A starting group could be a cross section of named maintainers from various distributions and FSF stewards but we probably need a way to make sure that the group is inclusive without being too broad. 3. A formal representation to the root CNA, i.e. Red Hat. We would need a group of volunteers that would be willing to step in as signees for this. I'm in, but I can't do it alone and would need more volunteers; it could perhaps be the same set of people who would be part of the initial security team in (2). Thanks, Sid [1] https://sourceware.org/glibc/wiki/Security%20Process [2] https://vuldb.com/?id.220246 [3] https://access.redhat.com/articles/red_hat_cve_program