From: Carlos O'Donell <carlos@redhat.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>,
GNU C Library <libc-alpha@sourceware.org>
Subject: Re: GNU C Library as its own CNA?
Date: Mon, 11 Sep 2023 08:47:11 -0400 [thread overview]
Message-ID: <f93f560d-a45f-eab1-ac27-2cc3e3ba7a78@redhat.com> (raw)
In-Reply-To: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org>
On 7/28/23 11:56, Siddhesh Poyarekar wrote:
> We have, for many years, been using distribution security teams to
> help with CVE triage and assignment. It has worked for the most
> part, but it's not uncommon to have CVEs assigned by organizations
> that don't always have a proper understanding of the security impact
> of bugs in glibc despite us having a clearly documented Security
> Process[1]; a recent example is CVE-2023-0687[2], which we had to
> jump through many hoops just to get it disputed and get the record
> straight on the bug.
>
> If the GNU C Library had it's own CNA, all vulnerabilities reported
> against CVE would have to come to this CNA for triage, thus making
> sure that security issues in glibc get correctly assessed. As root
> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are
> willing to have their own CNA, subject to certain conditions (all
> organizational) being met. Is this something that would interest the
> community?
>
> I am volunteering to take primary responsibility in helping set
> things up, including coordination with the CTI (for whatever
> additional infrastructure this would need), coordination with Red Hat
> and helping build consensus on what the organizational structure
> should look like.
Please include me in the list of volunteers.
I think this is a great step forward in reducing downstream CVE work by ensuring
we have a good upstream review process.
> At the outset, we'll need to have broad agreement on the following:
>
> 1. How should users submit issues? We would need an independent,
> private mailing list, possibly one that can also do PGP for users to
> report security issues.
Start small. Private mailing list works. I expect we will have to publish and
accept PGP signed email to all volunteers. So we'll need to publish volunteer
keys, and have a process for withdrawing volunteer keys.
> 2. Identify a group of people who ought to be on that list. A
> starting group could be a cross section of named maintainers from
> various distributions and FSF stewards but we probably need a way to
> make sure that the group is inclusive without being too broad.
Count me in.
> 3. A formal representation to the root CNA, i.e. Red Hat. We would
> need a group of volunteers that would be willing to step in as
> signees for this. I'm in, but I can't do it alone and would need
> more volunteers; it could perhaps be the same set of people who would
> be part of the initial security team in (2).
I'm in.
> Thanks, Sid
>
> [1] https://sourceware.org/glibc/wiki/Security%20Process [2]
> https://vuldb.com/?id.220246 [3]
> https://access.redhat.com/articles/red_hat_cve_program
>
--
Cheers,
Carlos.
next prev parent reply other threads:[~2023-09-11 12:47 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 15:56 Siddhesh Poyarekar
2023-07-28 16:09 ` Florian Weimer
2023-07-28 16:11 ` Siddhesh Poyarekar
2023-07-28 16:41 ` Joseph Myers
2023-07-28 17:28 ` Paul Eggert
2023-09-06 11:41 ` Siddhesh Poyarekar
2023-09-06 12:33 ` Florian Weimer
2023-09-06 16:00 ` Paul Eggert
2023-09-06 16:33 ` Florian Weimer
2023-09-06 17:04 ` Paul Eggert
2023-07-31 17:42 ` Siddhesh Poyarekar
2023-09-06 11:40 ` Siddhesh Poyarekar
2023-09-06 18:35 ` Alexandre Oliva
2023-09-06 18:57 ` Siddhesh Poyarekar
2023-09-06 19:02 ` Paul Eggert
2023-09-06 22:01 ` Alexandre Oliva
2023-09-07 0:56 ` Siddhesh Poyarekar
2023-09-07 3:27 ` Alexandre Oliva
2023-09-07 10:48 ` Siddhesh Poyarekar
2023-09-07 15:46 ` Florian Weimer
2023-09-07 17:14 ` Alexandre Oliva
2023-09-08 10:58 ` Siddhesh Poyarekar
2023-09-10 16:57 ` Alexandre Oliva
2023-09-11 7:46 ` Florian Weimer
2023-09-11 12:59 ` Carlos O'Donell
2023-09-11 9:58 ` Siddhesh Poyarekar
2023-09-11 12:47 ` Carlos O'Donell [this message]
2023-09-12 11:40 ` Siddhesh Poyarekar
2023-09-12 13:15 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f93f560d-a45f-eab1-ac27-2cc3e3ba7a78@redhat.com \
--to=carlos@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).