From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>,
Carlos O'Donell <carlos@redhat.com>,
GNU C Library <libc-alpha@sourceware.org>
Subject: Re: GNU C Library as its own CNA?
Date: Tue, 12 Sep 2023 10:15:50 -0300 [thread overview]
Message-ID: <8662163d-d6f5-c7ac-d897-d8aaa7415c07@linaro.org> (raw)
In-Reply-To: <02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org>
On 12/09/23 08:40, Siddhesh Poyarekar wrote:
> On 2023-09-11 08:47, Carlos O'Donell wrote:
>> On 7/28/23 11:56, Siddhesh Poyarekar wrote:
>>> We have, for many years, been using distribution security teams to
>>> help with CVE triage and assignment. It has worked for the most
>>> part, but it's not uncommon to have CVEs assigned by organizations
>>> that don't always have a proper understanding of the security impact
>>> of bugs in glibc despite us having a clearly documented Security
>>> Process[1]; a recent example is CVE-2023-0687[2], which we had to
>>> jump through many hoops just to get it disputed and get the record
>>> straight on the bug.
>>>
>>> If the GNU C Library had it's own CNA, all vulnerabilities reported
>>> against CVE would have to come to this CNA for triage, thus making
>>> sure that security issues in glibc get correctly assessed. As root
>>> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are
>>> willing to have their own CNA, subject to certain conditions (all
>>> organizational) being met. Is this something that would interest the
>>> community?
>>>
>>> I am volunteering to take primary responsibility in helping set
>>> things up, including coordination with the CTI (for whatever
>>> additional infrastructure this would need), coordination with Red Hat
>>> and helping build consensus on what the organizational structure
>>> should look like.
>>
>> Please include me in the list of volunteers.
>>
>> I think this is a great step forward in reducing downstream CVE work by ensuring
>> we have a good upstream review process.
>>
>>> At the outset, we'll need to have broad agreement on the following:
>>>
>>> 1. How should users submit issues? We would need an independent,
>>> private mailing list, possibly one that can also do PGP for users to
>>> report security issues.
>>
>> Start small. Private mailing list works. I expect we will have to publish and
>> accept PGP signed email to all volunteers. So we'll need to publish volunteer
>> keys, and have a process for withdrawing volunteer keys.
>>
>>> 2. Identify a group of people who ought to be on that list. A
>>> starting group could be a cross section of named maintainers from
>>> various distributions and FSF stewards but we probably need a way to
>>> make sure that the group is inclusive without being too broad.
>>
>> Count me in.
>>
>>> 3. A formal representation to the root CNA, i.e. Red Hat. We would
>>> need a group of volunteers that would be willing to step in as
>>> signees for this. I'm in, but I can't do it alone and would need
>>> more volunteers; it could perhaps be the same set of people who would
>>> be part of the initial security team in (2).
>>
>> I'm in.
>
> Thanks, anybody else willing to volunteer?
I can help on this as well.
prev parent reply other threads:[~2023-09-12 13:15 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 15:56 Siddhesh Poyarekar
2023-07-28 16:09 ` Florian Weimer
2023-07-28 16:11 ` Siddhesh Poyarekar
2023-07-28 16:41 ` Joseph Myers
2023-07-28 17:28 ` Paul Eggert
2023-09-06 11:41 ` Siddhesh Poyarekar
2023-09-06 12:33 ` Florian Weimer
2023-09-06 16:00 ` Paul Eggert
2023-09-06 16:33 ` Florian Weimer
2023-09-06 17:04 ` Paul Eggert
2023-07-31 17:42 ` Siddhesh Poyarekar
2023-09-06 11:40 ` Siddhesh Poyarekar
2023-09-06 18:35 ` Alexandre Oliva
2023-09-06 18:57 ` Siddhesh Poyarekar
2023-09-06 19:02 ` Paul Eggert
2023-09-06 22:01 ` Alexandre Oliva
2023-09-07 0:56 ` Siddhesh Poyarekar
2023-09-07 3:27 ` Alexandre Oliva
2023-09-07 10:48 ` Siddhesh Poyarekar
2023-09-07 15:46 ` Florian Weimer
2023-09-07 17:14 ` Alexandre Oliva
2023-09-08 10:58 ` Siddhesh Poyarekar
2023-09-10 16:57 ` Alexandre Oliva
2023-09-11 7:46 ` Florian Weimer
2023-09-11 12:59 ` Carlos O'Donell
2023-09-11 9:58 ` Siddhesh Poyarekar
2023-09-11 12:47 ` Carlos O'Donell
2023-09-12 11:40 ` Siddhesh Poyarekar
2023-09-12 13:15 ` Adhemerval Zanella Netto [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8662163d-d6f5-c7ac-d897-d8aaa7415c07@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=carlos@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).