From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id AFBB43858C00 for ; Thu, 23 Feb 2023 19:15:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AFBB43858C00 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677179755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=REK8JlYEUnWTTf7u9wsPdRA676FpPtCbMsLQmlUW2+c=; b=J92xE7VK5KyRXnOnWOrlnV0kBItmyVuuTI/2SAv/lujyuh+SCSJXIbFz2DJ4HZC/zyh2j1 mVV/OQ4QUlUJrufDjQ/l0r6S+ny3jfXqqS12stg6PA9XQAHZUchlc6s2ANgDjr1en7sgAO 0b0WCgVPUHgJbMgqjk+6baRfTwj7aBw= Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-659-JzP66Nl7POebAgKfOsv33A-1; Thu, 23 Feb 2023 14:15:53 -0500 X-MC-Unique: JzP66Nl7POebAgKfOsv33A-1 Received: by mail-io1-f72.google.com with SMTP id g7-20020a056602242700b00745a4e97ce7so7643767iob.2 for ; Thu, 23 Feb 2023 11:15:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=REK8JlYEUnWTTf7u9wsPdRA676FpPtCbMsLQmlUW2+c=; b=s3I/peLskFlh/AAT1fagLBEpIt2GFF1hwG/5pb2LQvk506XfZf2K3exOSr9GWnRgrS kH472PAxwFynC/aIUIfCZumOwIQtZ/SIY297mKNdAx9+aH+Cab8b+Wz7+3UmB8n51rpm OPxwcpM8xCG7+b6gJbZE18BSehXqx4+FmOvJde2BEVVtYqeeE+Uc+t4mhPeD6BK7ujcu uBqPcmDXBbtvJTVDVZVz9kejyzWAoFlJaT9UqpaNJ/WbBH4VXJJyc9BQ7ViP4AJpld0H LmkVHnzHMX/R5O8TmoLbjzzSF4JjkpO6Q6WLAJFphtRxr9nP8wRPSKn8tajfmysPPPW+ QlZA== X-Gm-Message-State: AO0yUKVt5UVdu27PoMAFfRcFkmHjn6sFSQNDS+qmJqdKVQ53CdmYBNsI Ga2/WgZRfI9ObDrXugYJ7IrVbvjnfzTkN4EdXT3MqGTm/y87ZBCaKKNv050LWThGAiyLNaJBbvg ban61Z6YBlwktFX/zVuPh7IfDkA== X-Received: by 2002:a05:6e02:12c3:b0:316:f99d:9ea2 with SMTP id i3-20020a056e0212c300b00316f99d9ea2mr4077668ilm.17.1677179752390; Thu, 23 Feb 2023 11:15:52 -0800 (PST) X-Google-Smtp-Source: AK7set/rWHmxo9NP7XtcAwZlPngNFNRRs6RP6JUhZIn4XZWGlIxLdLQbhnMyVRq9sUrB2GJWJYWCKA== X-Received: by 2002:a05:6e02:12c3:b0:316:f99d:9ea2 with SMTP id i3-20020a056e0212c300b00316f99d9ea2mr4077660ilm.17.1677179752193; Thu, 23 Feb 2023 11:15:52 -0800 (PST) Received: from [192.168.0.241] ([198.48.244.52]) by smtp.gmail.com with ESMTPSA id k9-20020a056e02156900b00316e39f1285sm2022119ilu.82.2023.02.23.11.15.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 Feb 2023 11:15:51 -0800 (PST) Message-ID: Date: Thu, 23 Feb 2023 14:15:50 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [PATCH] Provide a SECURITY.md for glibc. To: Florian Weimer Cc: libc-alpha@sourceware.org References: <20230222171920.113859-1-carlos@redhat.com> <87r0ug38tj.fsf@oldenburg.str.redhat.com> From: Carlos O'Donell Organization: Red Hat In-Reply-To: <87r0ug38tj.fsf@oldenburg.str.redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2/23/23 06:44, Florian Weimer wrote: > * Carlos O'Donell: > >> Upstrem scanners will look for a SECURITY.md to determine if the > > What's an “upstream scanner”? How do these scanners discover Sourceware > Git repositories? (1) What is an upstream scanner? Typo s/Upstrem/Upstream/g. When I wrote "Upstream scanners" I meant tooling being used by projects to scan the set of dependencies on the project to see if they met a given security policy. Such a security policy might be: "All projects included in a product must have a security reporting policy." (2) How do these scanners discover Sourceware Git repositories? They don't. Either the scanners scan a tarball or... Either glibc forks in gitlab and github are used by other projects and those respositories are scanned by scanners that look at github sources. There are 1000+ repositories in github with glibc in the name, mostly forks for specific projects. Github itself can be configured with a security policy around this topic: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository It would therefore be useful to make sure that for projects including glibc to be able to determine, easily, how to submit security issues. Does that answer your questions? -- Cheers, Carlos.