The glibc security team and conflicts of interest --- documenting expectations.

The glibc security team and conflicts of interest --- documenting expectations.

[Carlos O'Donell]

I have been actively documenting the glibc security team response process here:
https://sourceware.org/glibc/wiki/CNA/Response

This is part of the broader umbrella of CNA documentation for the project:
https://sourceware.org/glibc/wiki/CNA

I am trying to document the obligations of the security team and the process
to follow here in order to make the process repeatable, high quality, and avoid
subtle conflicts of interest.

For example the worst conflict of interest for me occurs when I take a CVE
patch developed by the glibc security team, in collaboration with the reporter,
and copy it downstream into Fedora or RHEL and prepare a release to be ready
for the disclosure date. This represents IMO a misuse of my privilege as part
of the glibc security team. The appropriate solution is to post the patch to
linux-distros first, and then once all the distro teams have the patch, copy
the patch downstream. This ensures that everyone in the community has a copy
of the fix as provided by the upstream glibc security team.

I would like there to be some kind of firewall between the glibc security
team and downstream, but I know and realize that this is not often possible
so the best I can do is document my expectation with each different hat on
that I wear.

Please have a look at the current response document and feel free to provide
feedback on the topic.

-- 
Cheers,
Carlos.