* The glibc security team and conflicts of interest --- documenting expectations.
@ 2024-04-16 14:21 Carlos O'Donell
0 siblings, 0 replies; only message in thread
From: Carlos O'Donell @ 2024-04-16 14:21 UTC (permalink / raw)
To: libc-alpha
I have been actively documenting the glibc security team response process here:
https://sourceware.org/glibc/wiki/CNA/Response
This is part of the broader umbrella of CNA documentation for the project:
https://sourceware.org/glibc/wiki/CNA
I am trying to document the obligations of the security team and the process
to follow here in order to make the process repeatable, high quality, and avoid
subtle conflicts of interest.
For example the worst conflict of interest for me occurs when I take a CVE
patch developed by the glibc security team, in collaboration with the reporter,
and copy it downstream into Fedora or RHEL and prepare a release to be ready
for the disclosure date. This represents IMO a misuse of my privilege as part
of the glibc security team. The appropriate solution is to post the patch to
linux-distros first, and then once all the distro teams have the patch, copy
the patch downstream. This ensures that everyone in the community has a copy
of the fix as provided by the upstream glibc security team.
I would like there to be some kind of firewall between the glibc security
team and downstream, but I know and realize that this is not often possible
so the best I can do is document my expectation with each different hat on
that I wear.
Please have a look at the current response document and feel free to provide
feedback on the topic.
--
Cheers,
Carlos.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-04-16 14:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-16 14:21 The glibc security team and conflicts of interest --- documenting expectations Carlos O'Donell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).