Re: GNU C Library as its own CNA?

[Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>]

On 12/09/23 08:40, Siddhesh Poyarekar wrote:
> On 2023-09-11 08:47, Carlos O'Donell wrote:
>> On 7/28/23 11:56, Siddhesh Poyarekar wrote:
>>> We have, for many years, been using distribution security teams to
>>> help with CVE triage and assignment.  It has worked for the most
>>> part, but it's not uncommon to have CVEs assigned by organizations
>>> that don't always have a proper understanding of the security impact
>>> of bugs in glibc despite us having a clearly documented Security
>>> Process[1]; a recent example is CVE-2023-0687[2], which we had to
>>> jump through many hoops just to get it disputed and get the record
>>> straight on the bug.
>>>
>>> If the GNU C Library had it's own CNA, all vulnerabilities reported
>>> against CVE would have to come to this CNA for triage, thus making
>>> sure that security issues in glibc get correctly assessed.  As root
>>> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are
>>> willing to have their own CNA, subject to certain conditions (all
>>> organizational) being met.  Is this something that would interest the
>>> community?
>>>
>>> I am volunteering to take primary responsibility in helping set
>>> things up, including coordination with the CTI (for whatever
>>> additional infrastructure this would need), coordination with Red Hat
>>> and helping build consensus on what the organizational structure
>>> should look like.
>>
>> Please include me in the list of volunteers.
>>
>> I think this is a great step forward in reducing downstream CVE work by ensuring
>> we have a good upstream review process.
>>  
>>> At the outset, we'll need to have broad agreement on the following:
>>>
>>> 1. How should users submit issues?  We would need an independent,
>>> private mailing list, possibly one that can also do PGP for users to
>>> report security issues.
>>
>> Start small. Private mailing list works. I expect we will have to publish and
>> accept PGP signed email to all volunteers. So we'll need to publish volunteer
>> keys, and have a process for withdrawing volunteer keys.
>>  
>>> 2. Identify a group of people who ought to be on that list.  A
>>> starting group could be a cross section of named maintainers from
>>> various distributions and FSF stewards but we probably need a way to
>>> make sure that the group is inclusive without being too broad.
>>
>> Count me in.
>>
>>> 3. A formal representation to the root CNA, i.e. Red Hat.  We would
>>> need a group of volunteers that would be willing to step in as
>>> signees for this.  I'm in, but I can't do it alone and would need
>>> more volunteers; it could perhaps be the same set of people who would
>>> be part of the initial security team in (2).
>>
>> I'm in.
> 
> Thanks, anybody else willing to volunteer?

I can help on this as well.