From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dog.elm.relay.mailchannels.net (dog.elm.relay.mailchannels.net [23.83.212.48]) by sourceware.org (Postfix) with ESMTPS id E3314385773F for ; Thu, 12 Oct 2023 22:25:01 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E3314385773F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id BF837761213; Thu, 12 Oct 2023 22:25:00 +0000 (UTC) Received: from pdx1-sub0-mail-a312.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 60870760A78; Thu, 12 Oct 2023 22:25:00 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1697149500; a=rsa-sha256; cv=none; b=tGdspFq0fArO5fUSg+YaC9eBaCjx+7rf3bGRa+MXLTkZyY6D19w8i9N27eBafQSRv83ZEI EVJUbhJV5OjgIy2oMmsryEJkX24GUw8zMIzyRhbRYqUrsMXhG+hVcV9ejqx6LMjEY4D9kz oRHNkgeHd7E9joPx4ar3JvMw29FC02oKnfGRF6mOB1ZyDGlWSN+/mStl9cJAeszkYk3KWk hzahitrUTdvfUGe8gvY7nqzMSkcN7ZwkOIcoT5P+bq6uV5HQmN3ZsP0ylUzWN6rJBRAzNQ jB8OD22VvSBErFV85L7DYAi+UBsN3c3XMs1An/jIodOmuLPCCz/wHvJFXlDT7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1697149500; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=GtUkKbq4R5kiPIr5sQf2JvJA+P4dBZiV5m7X5o9u+h0=; b=2Sz3TwBR3QWKWD5QpizG+I1AvA1qAr7/IcxQGBRGrr80eBz6j+R3dJqVHNAr06osNeM/Bx RDu7fElshLTo/+YYESzCoPswWjhVgrxAh3FCzzbF9Vab4IHP74OLcHqwlug5KDO6tduuf9 Km0OefjFZ1ov9mtxCJY78v2K7ua7kZdlgkPkWu5ER2Sdk2+rrhAYjpNQgiGf65Ph43BxNm TspEoUL9+2VHEwIMh9u3UKc4fnxxIuuJd5VCx/mqZUkHl3DlbLxBt3a8lF3kDiCsYkFhaX jkwWZr5mVzdfSEewQH7BZXXDKgCDRA3xBbFZ8EF7UsagfE/Vw9zGtPxPtzJ1Ag== ARC-Authentication-Results: i=1; rspamd-549cb46585-stmjm; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Spot-Hysterical: 35e925d2758bfbb3_1697149500635_3314849231 X-MC-Loop-Signature: 1697149500635:1678431224 X-MC-Ingress-Time: 1697149500634 Received: from pdx1-sub0-mail-a312.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.131.218 (trex/6.9.1); Thu, 12 Oct 2023 22:25:00 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a312.dreamhost.com (Postfix) with ESMTPSA id 4S642M6H1Yz9c; Thu, 12 Oct 2023 15:24:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1697149500; bh=GtUkKbq4R5kiPIr5sQf2JvJA+P4dBZiV5m7X5o9u+h0=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=tQHEEbUm/NQKZJbQW3hF5Ujj5I7hS6t7UMf7i/Y3lSTxh5TQb3Q9CGmACzpWXWPI8 mZuVhKsroINh+QGTICPL2+73v4uO+sZ1qXZ3pLGKzWzNNSByilnwDsMsAxfgAAg2DX YQTUvoazKe0fbfPdMtdkEj0EVul1dF3TxY/5Vq0Xb0DRH75nbkrZO7q9eaxXvyY+0l JSjdlZ0oInOLaLWNAg6jVMScPGaUd89zu0WSZ1HCeLK/KY3atUlrMoboLrRlAnj810 WF2xgwMlXXjl6X6nDPdnrPg0E1wMMZwVtyzsq6wzo0kuu9jgwhBt1fPoAqlcMK14zl VyAs4Vr4HvSuA== Message-ID: <6a081acc-0faa-c2fb-c99d-5a44bbbd2496@gotplt.org> Date: Thu, 12 Oct 2023 18:24:58 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [RFC] Publishing glibc advisories Content-Language: en-US To: Noah Goldstein Cc: GNU C Library , Carlos O'Donell , Adhemerval Zanella References: <3b60b07f-d1a3-c8f2-26cc-728ce1bfe338@gotplt.org> From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3032.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-10-12 18:09, Noah Goldstein wrote: > Personally would think it makes more sense to keep in the current repo. > Not everyone checking out the code will know to look for glibc-advisories.git > so it just seems liable to cause people to miss them. Oh so the code would continue to have the information it currently does, e.g. CVE numbers in the commits and in NEWS. This is for additional information that gets announced as advisories, that refer to, e.g. commits in the repository that contributed to fixing the CVE, branches the fixes were backported to, etc. Here are some example announcements: https://www.openwall.com/lists/oss-security/2023/10/11/1 https://mail.python.org/archives/list/security-announce@python.org/thread/TRTM4UVSANUWNHC2QY2X73E5IBQLQU76/ https://www.openwall.com/lists/oss-security/2023/10/10/9 All of them admittedly share different amounts of information, but I was hoping for us to be as informative as possible. Thanks, Sid