From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=SE+A=DO=mentor.com=joseph_myers@sourceware.org>
Received: from esa3.mentor.iphmx.com (esa3.mentor.iphmx.com [68.232.137.180])
	by sourceware.org (Postfix) with ESMTPS id 3D8613858CDA
	for <libc-alpha@sourceware.org>; Fri, 28 Jul 2023 16:41:28 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3D8613858CDA
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=codesourcery.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=mentor.com
X-IronPort-AV: E=Sophos;i="6.01,238,1684828800"; 
   d="scan'208";a="12990860"
Received: from orw-gwy-02-in.mentorg.com ([192.94.38.167])
  by esa3.mentor.iphmx.com with ESMTP; 28 Jul 2023 08:41:25 -0800
IronPort-SDR: 8VTK66NMq6As7ADjGDYikXTEWLPWeQrR99N1eDvem20DYuf2Vq2vFH7DXlaj3928AKlVGoVWkM
 YZqKTaqN56OuPlONEZOLX8K0UP7foeZGOb5N0XzthZUdAHnTm99IrjoXHxj8glecpqVdSkQt2c
 m5r1MHM02vCR5wG+WUjkzPi6x4BvKSmg8WN6Btb9a5rslXIxEoZA0QsAPomBP3q1KZmLA0UEDE
 soWyHBbp6a0BP2Mk5FZd/NrvHqPite9AgjEkEoGrUw7wHkfswdkHkVozT4T+FMyII+z8M5IrGL
 6KA=
Date: Fri, 28 Jul 2023 16:41:21 +0000
From: Joseph Myers <joseph@codesourcery.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
CC: GNU C Library <libc-alpha@sourceware.org>
Subject: Re: GNU C Library as its own CNA?
In-Reply-To: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org>
Message-ID: <b11bca7c-706d-f03d-5ad7-4a5c3e3066d9@codesourcery.com>
References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Originating-IP: [137.202.0.90]
X-ClientProxiedBy: svr-ies-mbx-15.mgc.mentorg.com (139.181.222.15) To
 svr-ies-mbx-10.mgc.mentorg.com (139.181.222.10)
X-Spam-Status: No, score=-3105.2 required=5.0 tests=BAYES_00,HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On Fri, 28 Jul 2023, Siddhesh Poyarekar wrote:

> 1. How should users submit issues?  We would need an independent, private
> mailing list, possibly one that can also do PGP for users to report security
> issues.

Probably at least 95% of glibc security issues are low-risk and most 
appropriately submitted in public to Bugzilla (the exceptions being things 
such as CVE-2015-7547).  If we add some kind of private submission 
mechanism, we should also strongly discourage its use for the bulk of 
low-risk issues to avoid adding unnecessary overhead for those.

-- 
Joseph S. Myers
joseph@codesourcery.com