From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=b48e=EX=gotplt.org=siddhesh@sourceware.org>
Received: from black.elm.relay.mailchannels.net (black.elm.relay.mailchannels.net [23.83.212.19])
	by sourceware.org (Postfix) with ESMTPS id 78D193858D35
	for <libc-alpha@sourceware.org>; Thu,  7 Sep 2023 10:48:58 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 78D193858D35
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id 2992F9415B1;
	Thu,  7 Sep 2023 10:48:57 +0000 (UTC)
Received: from pdx1-sub0-mail-a265.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id A3A32940526;
	Thu,  7 Sep 2023 10:48:56 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1694083736; a=rsa-sha256;
	cv=none;
	b=AojqFRNsf5TDWdEjUF7FNKG6WD1qgspauoHe35kpYR+mKI/W6mcEqb3DFd2MV4xUrRdGLz
	6g1PMddPR0NMnjGbo/jOPHfFZpVRSnsmszjXfbYzdl3V3NL9RZDxLBiLPHHfLVPOF2d9ry
	zcUraT5/KL4HbrwNelfOtvgQ2ozBAHk75EYsdKUEXHL8ogAYEXmiSDrUag4G0tbynNnqIA
	yR2pHNEoT1RqFjanPA/jnRS8/CoesCI8Y9u+HsfT89nSDkvSw3759z20HSx/TaduPI1Z2K
	/lBIsxl7znwpxSMA5YeSrkYPvIkexTO1JWCybUjnOwpWGAR3aBSzSWcOeQEeMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1694083736;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Os0uDOw8ckWdA2634CscbTfiS3DX+nlfxp0XAC/rf4A=;
	b=JabkY7tuA+GJuFXmee8b0zuUOE2zYm3RA2PNUr/Vjfahi8ZYWaa2HlT5OUMYgmSd2KPP5j
	c1vLiyngRXBM9tTYC71NLpvzX91pDu4CU43w+772VxkI6tLY1XwWfy1rgHTGtdSdh/I+Op
	5jYYuVRm0jDBijUl9Pb9gNiJEl5dgpbZ2nSNGr2L5qZysBj6yWW6JbOBYNP79nREO2Rb/l
	5qsT0S8Mv2seKDkoJEHMXgeSYgb66F6ZcjPvfsd6ESybvgViKDZBs9RbemHjm5pY9tyPNW
	HhN0qdf0Afv+R76bZyB0BvH4wVW7PypJgPISh/Do8CBAjgAxEn98dyMqc8qJrA==
ARC-Authentication-Results: i=1;
	rspamd-6fd95854bb-g55r6;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Sponge-Turn: 0cfe447b3e22adfb_1694083736891_3719211618
X-MC-Loop-Signature: 1694083736891:87919993
X-MC-Ingress-Time: 1694083736891
Received: from pdx1-sub0-mail-a265.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.104.240.1 (trex/6.9.1);
	Thu, 07 Sep 2023 10:48:56 +0000
Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a265.dreamhost.com (Postfix) with ESMTPSA id 4RhGFN20fYzJZ;
	Thu,  7 Sep 2023 03:48:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
	s=dreamhost; t=1694083736;
	bh=Os0uDOw8ckWdA2634CscbTfiS3DX+nlfxp0XAC/rf4A=;
	h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding;
	b=Q8R5Mwn/aju1ZnMPRvInHAtSK/zMUqw/mAHq9B0um87dIyGWaHmFTKVmG69VvXTV/
	 T9gjwz/g4pQXLpsv8VsnmjFbv0B7DHYdKcWAixUjwDYuX7xJUKjD2KqHLBuGF7VCoz
	 id7OLgu3PFFWZ/B8mS2zRL+xryP5z04UIAL76c0x0dc2zYJDsV3GDDKQxmW/NtVgxc
	 8bvVy0eXoma4uSsul51ZIviPv3iBq6BhimFzWPAlzRbykYzxUZaaM73I+DFOgSsvte
	 J+lo8qtTV69M+ZbglcqE6lGxnCzMjr6aqB/4cKDId2V1ekCmhnaaHSUafrVuuWhqEB
	 vSAyVohl/zX+g==
Message-ID: <e08d2ce8-a9d2-df8f-7189-1f3a4fd042bd@gotplt.org>
Date: Thu, 7 Sep 2023 06:48:54 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.13.0
Subject: Re: GNU C Library as its own CNA?
Content-Language: en-US
To: Alexandre Oliva <oliva@gnu.org>
Cc: GNU C Library <libc-alpha@sourceware.org>
References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org>
 <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org>
 <orzg1zb160.fsf@lxoliva.fsfla.org>
 <8222787b-f534-a827-ebf5-d9100844228d@gotplt.org>
 <orv8cnarm3.fsf@lxoliva.fsfla.org>
 <1fd12501-cc77-1943-9fe0-611376c77e09@gotplt.org>
 <ormsxybr3e.fsf@lxoliva.fsfla.org>
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
In-Reply-To: <ormsxybr3e.fsf@lxoliva.fsfla.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3030.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 2023-09-06 23:27, Alexandre Oliva wrote:
> On Sep  6, 2023, Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:
> 
>> That would be a worthy goal, but it may be best to have individual
>> CNAs for glibc, binutils, gcc, etc. because it allows the individual
>> communities to nominate their own security teams for example and run
>> independently.
> 
> I had understood, from the conversations I had when the invitation to
> join was presented to GNU, that making GNU the CNA, and then having GNU
> packages under the GNU umbrella, would make things much simpler, and
> would not stand in the way of nominating separate security teams for
> specific packages.  So that seemed to make more sense to me.

Maybe they were looking at GNU as a root CNA under Mitre, which requires 
much more compliance and formal organization as I understand it.  What 
I'm proposing is simpler, which is to become a CNA under Red Hat as the 
root CNA under its CVE program[1].  I think it's much easier for 
individual packages to do this as opposed to GNU trying to become root 
CNA directly under Mitre and then setting up individual teams/CNAs for 
packages under it.

> I'm concerned that starting out with a package, as if it was
> independent, would make it harder to bring it into the scope of the GNU
> CNA once that was set up, so I'd rather avoid that hassle.
> 
> Now, if you're familiar with the requirements and processes, would you
> be willing to advise us (GNU leadership and advisory committee) towards
> becoming a CNA for GNU packages, with appointed security response teams
> for GNU packages that have their own dedicated teams?

I still don't think a single CNA for all of GNU is a good idea because 
packages under GNU have very different processes and security 
requirements.  Maybe GNU as a root CNA (and then projects as subordinate 
CNAs) is something you may be interested in but I'm of limited use 
there.  Given the looseness of the setup for the subordinate CNAs, I 
don't think it should be too hard to move root CNAs later on if that is 
of interest to the community.

Thanks,
Sid

[1] https://access.redhat.com/articles/red_hat_cve_program