From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id DB3313858D35 for ; Tue, 16 Apr 2024 14:21:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DB3313858D35 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org DB3313858D35 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713277317; cv=none; b=jSKQsgBE5QT83igJaHSCq5SZaFUcFX6c/XKveMQld05mew9YHFE5WNeShXSYLEl0wAutq1Y7EDeqvNpnOQpmvBvMoljDR4q6Vf+OniWjV8UllLwCaTym4yKbWCa/koyi1J8s3BODIFmSIwUGaE2oWlAEkf/1s5qrqCyZ2VNHdMY= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713277317; c=relaxed/simple; bh=En5W6lEIA7tiNdxmhmdVGDXwjqrHf4kcuZGZGRuyocI=; h=DKIM-Signature:Message-ID:Date:MIME-Version:To:From:Subject; b=AENgdA4BL4TirKDw2ojnlOK0dSdo6cjXYbGIhpW4i67iPePrPHdwb0ZA2YI7SVIZZsppJqVuvF56Gg1CwK3UOFra2biErlRt04zwzO6reFiVMWU13z3Wp3SJNl0DtY1CuLEiHzPun0WAQpYPJwojjoHUpofsRIgOiib477cGRZw= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1713277315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:autocrypt:autocrypt; bh=Q9Js7Ie3lVrwH4kx2mw4qC65kFrs4SIqZfTEqBkVqzM=; b=c2pd2IOsGiejwBVKpcBKra0lAmAQ0azD2BRR0zhEpn+ZZs6fZCLYN2X/fK4J2nzoT8mXBq tS+/hWsThSF84fDXxbcvHehB77a9w4a31y/2v4A2x0d61clXegG5jIAVr+KdUiMRUbGYGH EScR42SF2K2OmGiyGV1zNC0gGlxYOHE= Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-510-CYaAPWekMDKvey93FGV8Yw-1; Tue, 16 Apr 2024 10:21:54 -0400 X-MC-Unique: CYaAPWekMDKvey93FGV8Yw-1 Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-78ee7776740so269879185a.2 for ; Tue, 16 Apr 2024 07:21:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713277313; x=1713882113; h=content-transfer-encoding:organization:autocrypt:subject:from:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Q9Js7Ie3lVrwH4kx2mw4qC65kFrs4SIqZfTEqBkVqzM=; b=kQ5ffen7L8LdOiNYJTUSCoxHSHsj6Bh7MQ7a3VJqgBogRR+KeG6a/ZuHUGWeUHx7G8 WqmfWEsqQjez3nZniAlffbVk6TQBs+/9h+rKIifIh4xr3OHICGPbntg+oDi6nrKMm1wU V4keIccvgaOJ9qPmUwSMQ7HmpPvOzFzXXeEHVPgXiCvhz5ODaA0cQyMuDwH9zKoBwGEH jQYM+wcszAW/VduUiIMYpbhmB1ZL6t/aEX52EFGaQt4lTznt1oIuE6msj/rVAjnA4+J5 Xa+VnW4Tlm/AY1CqFSKfPjRT/JPMF9FF8oXSmGpvOrK2ZAt0CB3DWhun5ghCKhYDApW/ tkBw== X-Gm-Message-State: AOJu0YxjZON5YexNP1DNis4dZjSmNptLYIJxAtSKIDNxaVbSI1CztCDT vJfsLhX5suIE3lTx0sUxLWvKJHTpbBsqilJSj6NzSByIkU74pOQ4U5PowBTH2VJ7sGeRCGAWSpq bubrW7Q+loZPwhwHkcTl0UPC4/Pr23THSdarnPBitHYgRfTCh11n7rWRcLjB3FHsIX2VNIm+ri2 kiMk20JdKga00iDLnp/fRSjLIeyvY+T4QU9iVCmQo= X-Received: by 2002:a05:620a:8114:b0:78e:de8b:4c5d with SMTP id os20-20020a05620a811400b0078ede8b4c5dmr7443929qkn.22.1713277313454; Tue, 16 Apr 2024 07:21:53 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH4AB0iAlKh3s3tiK2oZ0GLOrVq/6SEpYrPmuhMiCm0bjOmP+/VP88uUA6F+KBPB0NH5SiqQg== X-Received: by 2002:a05:620a:8114:b0:78e:de8b:4c5d with SMTP id os20-20020a05620a811400b0078ede8b4c5dmr7443912qkn.22.1713277313094; Tue, 16 Apr 2024 07:21:53 -0700 (PDT) Received: from [192.168.0.241] ([198.48.244.52]) by smtp.gmail.com with ESMTPSA id l20-20020ae9f014000000b0078ec5e88805sm6902628qkg.54.2024.04.16.07.21.52 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 16 Apr 2024 07:21:52 -0700 (PDT) Message-ID: <3b0af8d4-1c7d-4f36-acff-999a668ecc40@redhat.com> Date: Tue, 16 Apr 2024 10:21:51 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: libc-alpha From: Carlos O'Donell Subject: The glibc security team and conflicts of interest --- documenting expectations. Autocrypt: addr=carlos@redhat.com; keydata= xsFNBFef5BoBEACvJ15QMMZh4stKHbz0rs78XsOdxuug37dumTx6ngrDCwZ61k7nHQ+uxLuo QvLSc6YJGBEfiNFbs1hvhRFNR7xJbzRYmin7kJZZ/06fH2cgTkQhN0mRBP8KsKKT+7SvvBL7 85ZfAhArWf5m5Tl0CktZ8yoG8g9dM4SgdvdSdzZUaWBVHc6TjdAb9YEQ1/jpyfHsQp+PWLuQ ZI8nZUm+I3IBDLkbbuJVQklKzpT1b8yxVSsHCyIPFRqDDUjPL5G4WnUVy529OzfrciBvHdxG sYYDV8FX7fv6V/S3eL6qmZbObivIbLD2NbeDqw6vNpr+aehEwgwNbMVuVfH1PVHJV8Qkgxg4 PqPgQC7GbIhxxYroGbLJCQ41j25M+oqCO/XW/FUu/9x0vY5w0RsZFhlmSP5lBDcaiy3SUgp3 MSTePGuxpPlLVMePxKvabSS7EErLKlrAEmDgnUYYdPqGCefA+5N9Rn2JPfP7SoQEp2pHhEyM 6Xg9x7TJ+JNuDowQCgwussmeDt2ZUeMl3s1f6/XePfTd3l8c8Yn5Fc8reRa28dFANU6oXiZf 7/h3iQXPg81BsLMJK3aA/nyajRrNxL8dHIx7BjKX0/gxpOozlUHZHl73KhAvrBRaqLrr2tIP LkKrf3d7wdz4llg4NAGIU4ERdTTne1QAwS6x2tNa9GO9tXGPawARAQABzSpDYXJsb3MgTydE b25lbGwgKFdvcmspIDxjYXJsb3NAcmVkaGF0LmNvbT7CwZUEEwEIAD8CGwMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAFiEEcnNUKzmWLfeymZMUFnkrTqJTQPgFAmStkMYFCQ8AA6UACgkQ FnkrTqJTQPjRTxAAnKmRztRqcP4bgMeweR3rMxDEtwQhciDybB7RgBeuZHCbY6Hmqx2so4gH 2rG9EoBJM1RZKyqztVJ2WbGPzEb4ZAW/AjmttIoN1tSdACGBbd8kPNUzJd+QsCiWGNtyaJw6 /HTLj9JRdGN16b+DzUJxww3gYZYTTkhSNUVjcrw7hzXU0Zb3z9/evXv26SDbNCqSfhAm7tNE 8ceH9H8dTcalNUPJO7bgXRhXORj9OciJrMnpPs6P4U5f/IkcVSZS1t+6R0KPWeEUXGlegTFK F1cKsSoil8mYajqAheuqbjtPHPh55dHTbG35ngjNSZyiM54PdMW5SR6zog3RAlYnuPg09g21 n9Y/ihuEZZve57Gp5wHUwNE+RKRByLlRF3Zezz6jKfjLyHqJYK8d8+vuFO1vca5OfxCEf33Y 8pLhARmHXG6mzRdji1e7Ugob2OQbvM1XWkInA+NyGeqLlE7ZnzVME5kmYVa/+qjdoqEgAqKz EdcknAZ0uud8xuAqven5X17+bBY16RZHOysOcBiGGC2E1A8Xni8cO+vH6NTCjK+OAk7UXgWB +9MFvsi7WHDJAjVlpOwuRYDWjZ8o8HhkByMAhPEzjySR9G1bzHKNOVQNFpHPTP8a5LJR6nX/ QdjKAC0bOR1TxNeK6T0h+E0iPnwWIJ6ezimzwdRl0oCbj02giyPOwU0EV5/kGgEQAKvTJke+ QSjATmz11ALKle/SSEpUwL5QOpt3xomEATcYAamww0HADfGTKdUR+aWgOK3vqu6Sicr1zbuZ jHCs2GaIgRoqh1HKVgCmaJYjizvidHluqrox6qqc9PG0bWb0f5xGQw+X2z+bEinzv4qaep1G 1OuYgvG49OpHTgZMiJq9ncHCxkD2VEJKgMywGJ4Agdl+NWVn0T7w6J+/5QmBIE8hh4NzpYfr xzWCJ9iZ3skG4zBGB4YEacc3+oeEoybc10h6tqhQNrtIiSRJH+SUJvOiNH8oMXPLAjfFVy3d 4BOgyxJhE0UhmQIQHMJxCBw81fQD10d0dcru0rAIEldEpt2UXqOr0rOALDievMF/2BKQiOA7 PbMC3/dwuNHDlClQzdjil8O7UsIgf3IMFaIbQoUEvjlgf5cm9a94gWABcfI1xadAq9vcIB5v +9fM71xDgdELnZThTd8LByrG99ExVMcG2PZYXJllVDQDZqYA1PjD9e0yHq5whJi3BrZgwDaL 5vYZEb1EMyH+BQLO3Zw/Caj8W6mooGHgNveRQ1g9FYn3NUp7UvS22Zt/KW4pCpbgkQZefxup KO6QVNwwggV44cTQ37z5onGbNPD8+2k2mmC0OEtGBkj+VH39tRk+uLOcuXlGNSVk3xOyxni0 Nk9M0GvTvPKoah9gkvL/+AofN/31ABEBAAHCwXwEGAEIACYCGwwWIQRyc1QrOZYt97KZkxQW eStOolNA+AUCZK2RDAUJDwAD8gAKCRAWeStOolNA+B0MEACVxFO++NroEQxSQ0NCWod3aDmY mYn+/08wLTeMP+ajq19FEjU0Lh/GBJl6WlSHeJ5ZJlNSiXZuiSYGMYm73DBaoZlyjbD+H9NL LwLXgtfCZYlN6Iu8JRMfk9yevVBay7Be9DkPAk565ggo0UkIjpYftiLF4TUfqnI1yO6QKXgr J2DDwlP3iiCYnWFpHdBTB2/BRurpZoRquhRGzgcdGfRDtp16Pzm/u8BjfaU5/AFRjM0IDYQ6 PaQld0uZSZ0qOn0ts6usJws5gANq4U1oWJlqL/PHOFy9mbwUnKqq0oiWrmj+Mb+Ic6m9fqB3 5CHWUhxC1QozvkuY/sTsmXnG/mnbq2oFIVcgXDsnrDHf+0GyR+TrE4AQw1Pt2utsmU67LqNB Ru/2NbSFgwPv5wWjtNwDVGSZEXlV4qJGjh8S9aaGXhRTwJsnN6qkFS1m6vHKwqnRb5Qy4XDg 7kDrhFnTWe+XSwQt+HtGvIiXcR3EScJky76YlVsWDtvZMo3NePaC3qV5HAC8d2ZL3sFqxJRu sRyjE2l6s0EEK2MUgV/dwodftECrMdGktndVTYPqLnsua/PWWKYwYrNvD8slL6VFkXDZvLLv nat9vl9mBm15b76RHvKNlRcPbB9YYCbS5fhN2ObAsVbV1c5TdBCp8lp1Fa3YK0TA+WpNZVHK vjq6hMJAjA== Organization: Red Hat X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: I have been actively documenting the glibc security team response process here: https://sourceware.org/glibc/wiki/CNA/Response This is part of the broader umbrella of CNA documentation for the project: https://sourceware.org/glibc/wiki/CNA I am trying to document the obligations of the security team and the process to follow here in order to make the process repeatable, high quality, and avoid subtle conflicts of interest. For example the worst conflict of interest for me occurs when I take a CVE patch developed by the glibc security team, in collaboration with the reporter, and copy it downstream into Fedora or RHEL and prepare a release to be ready for the disclosure date. This represents IMO a misuse of my privilege as part of the glibc security team. The appropriate solution is to post the patch to linux-distros first, and then once all the distro teams have the patch, copy the patch downstream. This ensures that everyone in the community has a copy of the fix as provided by the upstream glibc security team. I would like there to be some kind of firewall between the glibc security team and downstream, but I know and realize that this is not often possible so the best I can do is document my expectation with each different hat on that I wear. Please have a look at the current response document and feel free to provide feedback on the topic. -- Cheers, Carlos.