From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eggs.gnu.org (eggs.gnu.org [IPv6:2001:470:142:3::10]) by sourceware.org (Postfix) with ESMTPS id 016B13858418 for ; Thu, 7 Sep 2023 17:15:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 016B13858418 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gnu.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gnu.org Received: from linux-libre.fsfla.org ([2001:470:142:5::54] helo=free.home) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeIb1-0005UC-1v; Thu, 07 Sep 2023 13:15:11 -0400 Received: from livre (livre.home [172.31.160.2]) by free.home (8.15.2/8.15.2) with ESMTPS id 387HExSL232788 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 7 Sep 2023 14:15:00 -0300 From: Alexandre Oliva To: Siddhesh Poyarekar Cc: GNU C Library Subject: Re: GNU C Library as its own CNA? Organization: Free thinker, not speaking for the GNU Project References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> <8222787b-f534-a827-ebf5-d9100844228d@gotplt.org> <1fd12501-cc77-1943-9fe0-611376c77e09@gotplt.org> Errors-To: aoliva@lxoliva.fsfla.org Date: Thu, 07 Sep 2023 14:14:59 -0300 In-Reply-To: (Siddhesh Poyarekar's message of "Thu, 7 Sep 2023 06:48:54 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.84 X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Sep 7, 2023, Siddhesh Poyarekar wrote: > Maybe they were looking at GNU as a root CNA under Mitre No, the invitation was from Red Hat, same thing you describe. > I think it's much > easier for individual packages to do this It should be just as easy for GNU to do that, and then GNU packages can enroll even more easily. That was the picture I got from the interactions at the time anyway, and it seemed to make sense. On Sep 7, 2023, Florian Weimer wrote: > GNU is not a legal entity Minor point, but it is, it's just not incorporated. The FSF is its fiscal sponsor, so if we were talking about root CNA with MITRE, it would indeed be the FSF that would sign the papers on behalf of GNU, at GNU's request. This is quite different from GNU libc, that's not incorporated and is part of GNU, so ultimately in either case it is GNU and its delegates who have the autonomy and legitimacy to enter agreements on behalf of GNU and its parts. That's why I find it more reasonable to have GNU as the CNA, and interested GNU packages underneath. > Products and teams move between organizations all the time, there must > be a process for this already. But why make for that trouble if we can help it by doing it right at first? > All communication about disputes, CVE > requests and updates etc. have to go through the CNA instead, so it's a > function that needs to be staffed appropriately. A component-specific > CNA can just hand out API keys as appropriate, but that's going to be > difficult across the whole of GNU. There appears to be a boatload of confusing assumptions here. GNU, as a larger entity, and with direct FSF support, is far more likely to be able to staff one or more security teams appropriately than any of its component packages. And then, if any single GNU component package is able to handle that job appropriately, then it follows that GNU can handle that job appropriately, at least when it comes to that package. Right? -- Alexandre Oliva, happy hacker https://FSFLA.org/blogs/lxo/ Free Software Activist GNU Toolchain Engineer Disinformation flourishes because many people care deeply about injustice but very few check the facts. Think Assange & Stallman. The empires strike back