From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eggs.gnu.org (eggs.gnu.org [IPv6:2001:470:142:3::10]) by sourceware.org (Postfix) with ESMTPS id AC3EB3858D35 for ; Thu, 7 Sep 2023 03:27:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AC3EB3858D35 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gnu.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gnu.org Received: from linux-libre.fsfla.org ([2001:470:142:5::54] helo=free.home) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qe5g3-00080W-KE; Wed, 06 Sep 2023 23:27:31 -0400 Received: from livre (livre.home [172.31.160.2]) by free.home (8.15.2/8.15.2) with ESMTPS id 3873RH94216443 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 7 Sep 2023 00:27:18 -0300 From: Alexandre Oliva To: Siddhesh Poyarekar Cc: GNU C Library Subject: Re: GNU C Library as its own CNA? Organization: Free thinker, not speaking for the GNU Project References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> <8222787b-f534-a827-ebf5-d9100844228d@gotplt.org> <1fd12501-cc77-1943-9fe0-611376c77e09@gotplt.org> Errors-To: aoliva@lxoliva.fsfla.org Date: Thu, 07 Sep 2023 00:27:17 -0300 In-Reply-To: <1fd12501-cc77-1943-9fe0-611376c77e09@gotplt.org> (Siddhesh Poyarekar's message of "Wed, 6 Sep 2023 20:56:03 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.84 X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Sep 6, 2023, Siddhesh Poyarekar wrote: > That would be a worthy goal, but it may be best to have individual > CNAs for glibc, binutils, gcc, etc. because it allows the individual > communities to nominate their own security teams for example and run > independently. I had understood, from the conversations I had when the invitation to join was presented to GNU, that making GNU the CNA, and then having GNU packages under the GNU umbrella, would make things much simpler, and would not stand in the way of nominating separate security teams for specific packages. So that seemed to make more sense to me. I'm concerned that starting out with a package, as if it was independent, would make it harder to bring it into the scope of the GNU CNA once that was set up, so I'd rather avoid that hassle. Now, if you're familiar with the requirements and processes, would you be willing to advise us (GNU leadership and advisory committee) towards becoming a CNA for GNU packages, with appointed security response teams for GNU packages that have their own dedicated teams? Thanks in advance, -- Alexandre Oliva, happy hacker https://FSFLA.org/blogs/lxo/ Free Software Activist GNU Toolchain Engineer Disinformation flourishes because many people care deeply about injustice but very few check the facts. Think Assange & Stallman. The empires strike back