Re: GNU C Library as its own CNA?

[Carlos O'Donell <carlos@redhat.com>]

On 7/28/23 11:56, Siddhesh Poyarekar wrote:
> We have, for many years, been using distribution security teams to
> help with CVE triage and assignment.  It has worked for the most
> part, but it's not uncommon to have CVEs assigned by organizations
> that don't always have a proper understanding of the security impact
> of bugs in glibc despite us having a clearly documented Security
> Process[1]; a recent example is CVE-2023-0687[2], which we had to
> jump through many hoops just to get it disputed and get the record
> straight on the bug.
> 
> If the GNU C Library had it's own CNA, all vulnerabilities reported
> against CVE would have to come to this CNA for triage, thus making
> sure that security issues in glibc get correctly assessed.  As root
> CNA, Red Hat is open to sponsoring FOSS organizations[3] that are
> willing to have their own CNA, subject to certain conditions (all
> organizational) being met.  Is this something that would interest the
> community?
> 
> I am volunteering to take primary responsibility in helping set
> things up, including coordination with the CTI (for whatever
> additional infrastructure this would need), coordination with Red Hat
> and helping build consensus on what the organizational structure
> should look like.

Please include me in the list of volunteers.

I think this is a great step forward in reducing downstream CVE work by ensuring
we have a good upstream review process.
 
> At the outset, we'll need to have broad agreement on the following:
> 
> 1. How should users submit issues?  We would need an independent,
> private mailing list, possibly one that can also do PGP for users to
> report security issues.

Start small. Private mailing list works. I expect we will have to publish and
accept PGP signed email to all volunteers. So we'll need to publish volunteer
keys, and have a process for withdrawing volunteer keys.
 
> 2. Identify a group of people who ought to be on that list.  A
> starting group could be a cross section of named maintainers from
> various distributions and FSF stewards but we probably need a way to
> make sure that the group is inclusive without being too broad.

Count me in.

> 3. A formal representation to the root CNA, i.e. Red Hat.  We would
> need a group of volunteers that would be willing to step in as
> signees for this.  I'm in, but I can't do it alone and would need
> more volunteers; it could perhaps be the same set of people who would
> be part of the initial security team in (2).

I'm in.
 
> Thanks, Sid
> 
> [1] https://sourceware.org/glibc/wiki/Security%20Process [2]
> https://vuldb.com/?id.220246 [3]
> https://access.redhat.com/articles/red_hat_cve_program
> 

-- 
Cheers,
Carlos.