From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from quail.birch.relay.mailchannels.net (quail.birch.relay.mailchannels.net [23.83.209.151]) by sourceware.org (Postfix) with ESMTPS id 20B363858C3A for ; Wed, 6 Sep 2023 11:41:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 20B363858C3A Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 6B25B760FE2; Wed, 6 Sep 2023 11:41:56 +0000 (UTC) Received: from pdx1-sub0-mail-a265.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 08DF6760F94; Wed, 6 Sep 2023 11:41:56 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1694000516; a=rsa-sha256; cv=none; b=g55eBMctraQx8b7YapE7j/Uak6rXTmQmVrjcCdLwHUOCY3laFITZYxt3EbMZjtNDvBPrTF wcXhD7GZg6sV1kg4ngK3+davT/ugLOOVC4veflTHuej9Q+Y1rjFV2QaYOGl71bASrTlhwi GBy0q7pXv6MwPPS4h1QvYHSUXSa/V31LYnkmsNjq3eTzbPuzgGoIabxkPdYkz1zGPArQ52 fRsTenGnp+FNE0hz36NRe/UO2MziEthbvcKv1HnI9AxafxsUicsdZtY0ceF62laDDBi46s SZBuo2iSadEWmUTjrGbCEy2ElMYcFK83afw6C8K5cRm+IhwfQUxBb+kqVtsibg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1694000516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=LWekE82F6pllwt9mOkPARvWK+s0z8pFUGWtpl5bUmus=; b=hBRvTU8p62bbPBWXkqVvdTF5w9Sou/nj2xF9hT4wFS/jRLbA7UB18bjOgSG8g+7TR1BssQ ftzuz7/gri4BA6i0BaXo4FpskUs2vTeJ45ZWiDcYjMSZxnX6uUrH5cjiCn74JqbFSgEfQ0 DeWY4qPQm4kBg9iK3BGhrbiG4uiV7xywv3sZF7N0vwlNgoOXxMFmeAWkFSbpfvOZ5T/G6I KOPvotsiPq/JZ96JNhr3FYifCw+jMNrX+8fU50xX5/AIy7B9sCp97EtTmwCE2QlT6QD0p8 Gg9oPhLznDp9+TMDLF0GAESaYnWUMMK5P33WHWbkdNW4AH1ggkTyGYsH7zf+0Q== ARC-Authentication-Results: i=1; rspamd-bfd6864c7-g9dg5; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Stretch-Hook: 308edbc9425822e2_1694000516253_1875471377 X-MC-Loop-Signature: 1694000516253:3724321481 X-MC-Ingress-Time: 1694000516253 Received: from pdx1-sub0-mail-a265.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.125.77.20 (trex/6.9.1); Wed, 06 Sep 2023 11:41:56 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a265.dreamhost.com (Postfix) with ESMTPSA id 4RggSz4mCYz1g; Wed, 6 Sep 2023 04:41:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1694000515; bh=LWekE82F6pllwt9mOkPARvWK+s0z8pFUGWtpl5bUmus=; h=Date:Subject:To:From:Content-Type:Content-Transfer-Encoding; b=lvw53u0GOaA/LwlG2g4WQkIV1s5AFYHyqDmdzhm6CVxD2NP1lS5MMFoS2PGWx9wJB jsyliD28iPAwoWlQKGleKh0aTSRQIfL/43dySAE/WfQYFLLMuoWd357ZBNKr5V6Gtc yRgm+ecF/Yv1FIo/SCa+mU7B7oeCC+PhOF+LqcVFiJPvhq8PP/1LMm6MokGhstVlQb UjC8Q2rCQeW+BW6m+bAkxGB/dEQeSvgHtJRs1noD9Y0+LhIsscNBv8HVfBNpWbwetR 54oh9UZLuCyJ5GUzOUMFvjx44wxFvHENjLQgYs+xUAWOGQYTfccoom6wKeeUkXunQG cUPF7PCN6145g== Message-ID: Date: Wed, 6 Sep 2023 07:41:54 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: GNU C Library as its own CNA? Content-Language: en-US To: Paul Eggert , libc-alpha@sourceware.org References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <6ad61af4-8890-809c-d168-5a6e8c750d26@cs.ucla.edu> From: Siddhesh Poyarekar In-Reply-To: <6ad61af4-8890-809c-d168-5a6e8c750d26@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-07-28 13:28, Paul Eggert wrote: > On 2023-07-28 09:41, Joseph Myers wrote: >> If we add some kind of private submission >> mechanism, we should also strongly discourage its use for the bulk of >> low-risk issues to avoid adding unnecessary overhead for those. > > One possibility is to use an already-existing submission mechanism, > namely the GNU Security Escalation Contact . For what > it's worth, that mailing list gets little email, mostly false alarms. > > https://savannah.gnu.org/mail/?group=security Or alternatively, a private mailing list on sourceware alongside other current lists. One of the future challenges may be to support encrypted submissions since that seems to be a preference for some security researchers. We could do that for now by just listing public keys of volunteers in the security group but if we end up with too many such submissions or have too many volunteers or otherwise have operational difficulties then we may have to think of another solution. Thanks, Sid