[PATCH] Provide a SECURITY.md for glibc.

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] Provide a SECURITY.md for glibc.
@ 2023-02-22 17:19 Carlos O'Donell
  2023-02-23 11:44 ` Florian Weimer
  0 siblings, 1 reply; 5+ messages in thread
From: Carlos O'Donell @ 2023-02-22 17:19 UTC (permalink / raw)
  To: libc-alpha, fweimer; +Cc: Carlos O'Donell

Upstrem scanners will look for a SECURITY.md to determine if the
project has a security process. In 2014 glibc adopted a public
security process that we document on the wiki here:
https://sourceware.org/glibc/wiki/Security%20Process

This creates a SECURITY.md file that points directly at the security
process in the wiki and indicates that glibc has a policy.
---
 SECURITY.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..579df63a7b
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,4 @@
+# Security Process
+
+For the GNU C Library please use the following documented security process:
+[Security Process](https://sourceware.org/glibc/wiki/Security%20Process).
-- 
2.39.2


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] Provide a SECURITY.md for glibc.
  2023-02-22 17:19 [PATCH] Provide a SECURITY.md for glibc Carlos O'Donell
@ 2023-02-23 11:44 ` Florian Weimer
  2023-02-23 19:15   ` Carlos O'Donell
  0 siblings, 1 reply; 5+ messages in thread
From: Florian Weimer @ 2023-02-23 11:44 UTC (permalink / raw)
  To: Carlos O'Donell; +Cc: libc-alpha

* Carlos O'Donell:

> Upstrem scanners will look for a SECURITY.md to determine if the

What's an “upstream scanner”?  How do these scanners discover Sourceware
Git repositories?

Thanks,
Florian


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] Provide a SECURITY.md for glibc.
  2023-02-23 11:44 ` Florian Weimer
@ 2023-02-23 19:15   ` Carlos O'Donell
  2023-03-27 13:18     ` Siddhesh Poyarekar
  0 siblings, 1 reply; 5+ messages in thread
From: Carlos O'Donell @ 2023-02-23 19:15 UTC (permalink / raw)
  To: Florian Weimer; +Cc: libc-alpha

On 2/23/23 06:44, Florian Weimer wrote:
> * Carlos O'Donell:
> 
>> Upstrem scanners will look for a SECURITY.md to determine if the
> 
> What's an “upstream scanner”?  How do these scanners discover Sourceware
> Git repositories?

(1) What is an upstream scanner?

Typo s/Upstrem/Upstream/g.

When I wrote "Upstream scanners" I meant tooling being used by projects to scan the
set of dependencies on the project to see if they met a given security policy.

Such a security policy might be: "All projects included in a product must have a
security reporting policy."

(2) How do these scanners discover Sourceware Git repositories?

They don't.

Either the scanners scan a tarball or...

Either glibc forks in gitlab and github are used by other projects and those
respositories are scanned by scanners that look at github sources.

There are 1000+ repositories in github with glibc in the name, mostly forks for
specific projects.

Github itself can be configured with a security policy around this topic:
https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

It would therefore be useful to make sure that for projects including glibc to
be able to determine, easily, how to submit security issues.

Does that answer your questions?

-- 
Cheers,
Carlos.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] Provide a SECURITY.md for glibc.
  2023-02-23 19:15   ` Carlos O'Donell
@ 2023-03-27 13:18     ` Siddhesh Poyarekar
  2023-04-05 19:24       ` Siddhesh Poyarekar
  0 siblings, 1 reply; 5+ messages in thread
From: Siddhesh Poyarekar @ 2023-03-27 13:18 UTC (permalink / raw)
  To: Carlos O'Donell, Florian Weimer; +Cc: libc-alpha

On 2023-02-23 14:15, Carlos O'Donell via Libc-alpha wrote:
> Github itself can be configured with a security policy around this topic:
> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

Maybe this should be noted in the git commit log for posterity.

Thanks,
Sid

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] Provide a SECURITY.md for glibc.
  2023-03-27 13:18     ` Siddhesh Poyarekar
@ 2023-04-05 19:24       ` Siddhesh Poyarekar
  0 siblings, 0 replies; 5+ messages in thread
From: Siddhesh Poyarekar @ 2023-04-05 19:24 UTC (permalink / raw)
  To: Carlos O'Donell, Florian Weimer; +Cc: libc-alpha

On 2023-03-27 09:18, Siddhesh Poyarekar wrote:
> On 2023-02-23 14:15, Carlos O'Donell via Libc-alpha wrote:
>> Github itself can be configured with a security policy around this topic:
>> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
> 
> Maybe this should be noted in the git commit log for posterity.

Also, I wonder if it makes sense to move all of that content off the 
wiki and into the SECURITY.md.

Thanks,
Sid

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-04-05 19:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-22 17:19 [PATCH] Provide a SECURITY.md for glibc Carlos O'Donell
2023-02-23 11:44 ` Florian Weimer
2023-02-23 19:15   ` Carlos O'Donell
2023-03-27 13:18     ` Siddhesh Poyarekar
2023-04-05 19:24       ` Siddhesh Poyarekar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).