From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) by sourceware.org (Postfix) with ESMTPS id E2467385773F for ; Tue, 12 Sep 2023 13:15:53 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E2467385773F Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org Received: by mail-oo1-xc2e.google.com with SMTP id 006d021491bc7-57129417cecso2890787eaf.1 for ; Tue, 12 Sep 2023 06:15:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1694524553; x=1695129353; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=zNsi9HWmS/oi72ImYLwm4b16A3SROUV2W+GYPXDTm3I=; b=zzARzp33SChUUomwhpLYLenV3Dzc+zegESKj4OHvqNL2pFG/svrjAVZJv5HOqH8m7e KqI2QAa3KmupAgx+TlfBC+dmqtKxjAmZUJkjjT4xZlWLMLNybUQqS0WE+rzdIelk1R+h EOYIyccXsItiPiMCuw1IxGRpCP2Z7h22iS+j8+3xd8MUDxdIWB51yosx5o7IxfvPT748 +XS0AjoEe+ItSTRifGxKvW1vZZYPBqc5hedAwuTrCtjHQMkEEXP3l6wAWGi907TS9a/Q 8vCDX/lq5UvHDRkduWgse/QW+6Z9c6yav9Fobx98zneRXcT2skeus6J/rjssCjqCTdTz 9J5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694524553; x=1695129353; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zNsi9HWmS/oi72ImYLwm4b16A3SROUV2W+GYPXDTm3I=; b=svipFQKkBWw1f5X2ygxve7eZfUX+3YnI9vskEs7AItrrxnVkzmtLyRXkN1kH31HWty To50ORFcodRikLH1KYZCugltmdQdotYt5qT41MiHrQPbi5ia7uqN81/vccAZhfiLnmac SAuLPgSxIc+q+vOHZ9R1Z0+fc5vTESqB9eM8g8hY8Sj3vsJglzg1uZ8bb0zo3evI9Uet 0O09qDWgzpmujtJ6Cypnp5QctvuAXldmkIF/8qt2fkBHbCB+iaoo5fgNTGCGKW2BMato 8DD09CsoMzI2gzwooBR6hB1GCg3dB/O/IVlrGGwfG+a4EyITLSlY/VCO9ZT9d1KpRbY2 Hh2Q== X-Gm-Message-State: AOJu0Yx4czg6yTgrqKZilSTFgJ9G7HIqrTc1uBG2tfvAHwJ8AotJx1J0 u6td73clQV0Vn7bt4zgPcW0exXDtd8w1C1O3fCgeow== X-Google-Smtp-Source: AGHT+IEhYE89OCnHGTFwRItlwpwXnB1KNL8B4NjbDsiAOYcu4ubCUceKOnOwotNi+q91VfUxTq5uKQ== X-Received: by 2002:a05:6870:589b:b0:1bb:bd21:9e0 with SMTP id be27-20020a056870589b00b001bbbd2109e0mr1437564oab.1.1694524553046; Tue, 12 Sep 2023 06:15:53 -0700 (PDT) Received: from ?IPV6:2804:1b3:a7c0:91cb:1977:7e4f:e638:7fad? ([2804:1b3:a7c0:91cb:1977:7e4f:e638:7fad]) by smtp.gmail.com with ESMTPSA id t127-20020a4a5485000000b0057367fd1469sm4344187ooa.21.2023.09.12.06.15.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Sep 2023 06:15:52 -0700 (PDT) Message-ID: <8662163d-d6f5-c7ac-d897-d8aaa7415c07@linaro.org> Date: Tue, 12 Sep 2023 10:15:50 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Subject: Re: GNU C Library as its own CNA? Content-Language: en-US To: Siddhesh Poyarekar , Carlos O'Donell , GNU C Library References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org> From: Adhemerval Zanella Netto Organization: Linaro In-Reply-To: <02c60553-35dd-439c-6dbb-3e371048309b@gotplt.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 12/09/23 08:40, Siddhesh Poyarekar wrote: > On 2023-09-11 08:47, Carlos O'Donell wrote: >> On 7/28/23 11:56, Siddhesh Poyarekar wrote: >>> We have, for many years, been using distribution security teams to >>> help with CVE triage and assignment.  It has worked for the most >>> part, but it's not uncommon to have CVEs assigned by organizations >>> that don't always have a proper understanding of the security impact >>> of bugs in glibc despite us having a clearly documented Security >>> Process[1]; a recent example is CVE-2023-0687[2], which we had to >>> jump through many hoops just to get it disputed and get the record >>> straight on the bug. >>> >>> If the GNU C Library had it's own CNA, all vulnerabilities reported >>> against CVE would have to come to this CNA for triage, thus making >>> sure that security issues in glibc get correctly assessed.  As root >>> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are >>> willing to have their own CNA, subject to certain conditions (all >>> organizational) being met.  Is this something that would interest the >>> community? >>> >>> I am volunteering to take primary responsibility in helping set >>> things up, including coordination with the CTI (for whatever >>> additional infrastructure this would need), coordination with Red Hat >>> and helping build consensus on what the organizational structure >>> should look like. >> >> Please include me in the list of volunteers. >> >> I think this is a great step forward in reducing downstream CVE work by ensuring >> we have a good upstream review process. >>   >>> At the outset, we'll need to have broad agreement on the following: >>> >>> 1. How should users submit issues?  We would need an independent, >>> private mailing list, possibly one that can also do PGP for users to >>> report security issues. >> >> Start small. Private mailing list works. I expect we will have to publish and >> accept PGP signed email to all volunteers. So we'll need to publish volunteer >> keys, and have a process for withdrawing volunteer keys. >>   >>> 2. Identify a group of people who ought to be on that list.  A >>> starting group could be a cross section of named maintainers from >>> various distributions and FSF stewards but we probably need a way to >>> make sure that the group is inclusive without being too broad. >> >> Count me in. >> >>> 3. A formal representation to the root CNA, i.e. Red Hat.  We would >>> need a group of volunteers that would be willing to step in as >>> signees for this.  I'm in, but I can't do it alone and would need >>> more volunteers; it could perhaps be the same set of people who would >>> be part of the initial security team in (2). >> >> I'm in. > > Thanks, anybody else willing to volunteer? I can help on this as well.