From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id EE8743858D32 for ; Mon, 11 Sep 2023 12:59:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EE8743858D32 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694437147; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bUxLawOykHq2LU+y18qb7zWV5xRZ1yV9z4LlY2dTJo4=; b=InDMidDG0Y7rkCw9uBPI0hMVDGVf1YXHaYaljW6vKY/nChbpRX3NRaNUHjX4iDmH4U+0QE QL4RlhMRnYew5akb2XDwOwA8Ix7MUX/yPytqyfiOswU0irWP28PhQnI0KtT3kli2hGIEtR Bx5TE8/mGVsyJFA3wehN4+KjIsYn5Sg= Received: from mail-yw1-f198.google.com (mail-yw1-f198.google.com [209.85.128.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-227-IrLNfAPsMVm6ajPfj0E5pw-1; Mon, 11 Sep 2023 08:59:06 -0400 X-MC-Unique: IrLNfAPsMVm6ajPfj0E5pw-1 Received: by mail-yw1-f198.google.com with SMTP id 00721157ae682-59222a14ee1so52349917b3.1 for ; Mon, 11 Sep 2023 05:59:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694437145; x=1695041945; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bUxLawOykHq2LU+y18qb7zWV5xRZ1yV9z4LlY2dTJo4=; b=OClePU5dDwaZyKjTQF9wP7X+GbO74ExZrc1y9hy8YXz6j3F1y1XPhVVWmnK3HxV4EN mHx/nSVU3pF/vkEMEgCquiJYN2abLrkamYBV7jQk8q3CQjaXoXgt2JGba5/AfgToESVi 9LHti1Y6ZvGT0Qc+Ie0WfdE6vIKFJBKMHL8n+LfhsBji5Qh7h7tXvk8GTxwYHMR8HIr0 Mz5HztR1dqfQwNP8JecSD5jihqnQGF9QoxDcjlzYSr1/MyoZ0gO5pBxX9JdvfVBhXREF OQJN1yc2tqPmGrC8rYE9MV/RUa69ChSHjjjpMGqgP2Ovx8xC3pFOPwgvkkKTjX1NiVym UYZA== X-Gm-Message-State: AOJu0YwqEU6YGAbogIqDaq0lAykc5Bdwq8Q0JokdlLZVbPUfjiwY1aSS FuFGqnr86At6TS8Y9pE1cc3B9jP0LDPQfBhOJysHY8WB9b2hTVyDu/1aLLcWhzVvXsusKeIp3wo JhfQVXDjL1xV6xN/RfnD6AhmjEh6U X-Received: by 2002:a25:aa69:0:b0:d7a:e0f6:54cc with SMTP id s96-20020a25aa69000000b00d7ae0f654ccmr8763524ybi.26.1694437145171; Mon, 11 Sep 2023 05:59:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG0exp3XiwdgNk7KbjVZiuALrfA0n26XZkkvc0XYtR9UBxIuZmnQERBHUMIwOvN3636jdMeEg== X-Received: by 2002:a25:aa69:0:b0:d7a:e0f6:54cc with SMTP id s96-20020a25aa69000000b00d7ae0f654ccmr8763510ybi.26.1694437144927; Mon, 11 Sep 2023 05:59:04 -0700 (PDT) Received: from [192.168.0.241] ([198.48.244.52]) by smtp.gmail.com with ESMTPSA id c82-20020a25c055000000b00d607f70d762sm1688383ybf.32.2023.09.11.05.59.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 Sep 2023 05:59:04 -0700 (PDT) Message-ID: <391e524c-bf2a-56aa-027b-da98bbce83b3@redhat.com> Date: Mon, 11 Sep 2023 08:59:03 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: GNU C Library as its own CNA? To: Florian Weimer , Alexandre Oliva Cc: Siddhesh Poyarekar , GNU C Library References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> <8222787b-f534-a827-ebf5-d9100844228d@gotplt.org> <1fd12501-cc77-1943-9fe0-611376c77e09@gotplt.org> <16843bf8-f621-30fb-fbbf-d6b8ce633486@gotplt.org> <87jzsx2lvl.fsf@oldenburg.str.redhat.com> From: Carlos O'Donell Organization: Red Hat In-Reply-To: <87jzsx2lvl.fsf@oldenburg.str.redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 9/11/23 03:46, Florian Weimer wrote: > * Alexandre Oliva: > >> On Sep 8, 2023, Siddhesh Poyarekar wrote: >> >>> A single non-root CNA for all of the GNU project doesn't make sense to >>> me, given that packages have very distinct communities and needs. >> >> It seem like you're saying that GNU, as a CNA, would be unable to offer >> to individual packages whatever it is that Red Hat, as root CNA, would. >> Could you please elaborate on that distinction you're making? > > I think we'd still want per-component CNAs, whether the GNU project is a > (root) CNA or not. Agreed. Per-component CNAs creates the least back-and-forth between the reporter and the people who wrote the code and know how it works and the security policies for the project. > I suggest we start with Red Hat as the root CNA, get the glibc CNA set > up. Once you have figured out the details with MITRE and the FSF and > the GNU root is established, we can move over. Agreed, this is the best first step IMO. -- Cheers, Carlos.