From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bisque.elm.relay.mailchannels.net (bisque.elm.relay.mailchannels.net [23.83.212.18]) by sourceware.org (Postfix) with ESMTPS id C6DA43858C66 for ; Thu, 7 Sep 2023 00:56:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C6DA43858C66 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id BCC629417AD; Thu, 7 Sep 2023 00:56:05 +0000 (UTC) Received: from pdx1-sub0-mail-a265.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 3905D9415D8; Thu, 7 Sep 2023 00:56:05 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1694048165; a=rsa-sha256; cv=none; b=vpqZmYyVYiXXRMypM3pqMM/YWLfgnLyJjF5YOERJWwkZXhdA2gRcE6/P5ryl8JPoo12Agb 1a0acWRXZe+ouCCmZqTtVZRMW0E3cqg0Uh5SnTB4ocG1eDXLpWmRTAT4IS5AFu9tMQCpCd +6fNfoc2ymI0xaEQmslqg/3cRwzehIxDe2PfYEl1UEwBv2I1NohHXAL+Uy7dBynCCnMDhY 9MNdWpxfH1OeJ1HdJA8QvhehDvDN0jXWBvm8j40BjtbjOfOzlQXvdgyCeRLPgzi8RaRqTy lJVk4jfl2BcpbER18ohm86BfWPWKIllpnuCSxq3JYMo0qZWoRG+dbUeJU6BHSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1694048165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FBPHzUhlExzwbsQ3iWdfKqr2WmRDfBBpY6/sdiNt1gs=; b=nfgiqrNXEWPw3qCuTReq4vQHKXozNvibnqEQFrG29D/5NoO1TbVn2pBzMuUfcVf0YlWxpY h7SKZSV5voY8WOgep8glF/lylfJGjitz+SWQZcCjqV1kiIA8VrhG1w80QO200eRCa0tbRj 5xpPx2ABAesB5qPEVdW0hRMSFDnNeHcKaXSlmntnZ6d9zceyFgaOMw2bvtsX+Oo/YJbCL3 FYrnHzyq60IYn6aMEHIOx0p7KswUkIXvlOckaCw+kVjQx8h+dIKXthZZCmBrvUfk0QDAAZ SdD075wRKTOIHydKli3iCeypi2KVao/lIN56veTNQXPrQbzECjddFwRjlcJYfg== ARC-Authentication-Results: i=1; rspamd-6fd95854bb-6qht8; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Trouble-Versed: 156ccceb0b0655dc_1694048165450_4076879972 X-MC-Loop-Signature: 1694048165449:273615353 X-MC-Ingress-Time: 1694048165449 Received: from pdx1-sub0-mail-a265.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.108.185.187 (trex/6.9.1); Thu, 07 Sep 2023 00:56:05 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a265.dreamhost.com (Postfix) with ESMTPSA id 4Rh15J6DM6zJZ; Wed, 6 Sep 2023 17:56:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1694048165; bh=FBPHzUhlExzwbsQ3iWdfKqr2WmRDfBBpY6/sdiNt1gs=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=VbrxT2fPEv755Mf03VVnDQdHqFgm0Rla88Rxny52nQz0UifurInQmuptLhlRS1mng OjLr5ZB+ZIzJNsQvvW6Z+5futaBs28uQA8RDIyLOMaBqCoyU3FLuL1+864UXoU8bAu M01fAEUL5g8jyX5OftIes9t6wKhn5tBCEqqyogc2imlKirYBmX03HMmVwU+LbCJ61g sr7xKhtIT7tU92RJTd0jtKdQf3Mwh6oKSi4YY049v/xXfsMpzSJ4S7D+LEwGUOz7hz bm1xUXOW4QjjAU7DciX2AuNKazGO54urqG0docNROWlqzsoEVijVKC8rKES8SLkZ4V 6SGSfGy+gEs0w== Message-ID: <1fd12501-cc77-1943-9fe0-611376c77e09@gotplt.org> Date: Wed, 6 Sep 2023 20:56:03 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: GNU C Library as its own CNA? Content-Language: en-US To: Alexandre Oliva Cc: GNU C Library References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> <8222787b-f534-a827-ebf5-d9100844228d@gotplt.org> From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-09-06 18:01, Alexandre Oliva wrote: > No, that would be reading too much into what I wrote about an earlier > attempt to make GNU a CNA. OK, thanks for clarifying. Then I continue to look for volunteers. > I'd just be surprised if anyone serious about software freedom and > security would seriously consider engaging with that web site while it > remains detrimental to both of these concerns. > > If we can find people who don't mind interacting with it as it is, I > suppose we might, but there might be continuity challenges, and, having > been denied access to the site because of javascrippling, I don't even > know how much of a commitment by any community it would amount to. > > I expect finding people who care about freedom and security but don't > mind interacting with that website to be difficult, so that is a point > of concern for me. > > If we do find a path forward, however, it would be useful to extend it > to all of GNU, because there was much interest, we just couldn't figure > out a way to make interaction viable. That would be a worthy goal, but it may be best to have individual CNAs for glibc, binutils, gcc, etc. because it allows the individual communities to nominate their own security teams for example and run independently. Lets see how the glibc experiment goes and then we can extend the idea to other parts of the toolchain. Thanks, Sid