This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.

From: Joseph Myers <joseph at codesourcery dot com>
To: Carlos O'Donell <carlos at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>, Florian Weimer <fweimer at redhat dot com>, Aurelien Jarno <aurelien at aurel32 dot net>, Mike Frysinger <vapier at gentoo dot org>, Allan McRae <allan at archlinux dot org>, Siddhesh Poyarekar <sid at reserved-bit dot com>, Andreas Schwab <schwab at suse dot de>, "Dmitry V. Levin" <ldv at altlinux dot org>, Khem Raj <raj dot khem at gmail dot com>, Adam Conrad <adconrad at 0c3 dot net>
Date: Wed, 21 Oct 2015 21:05:25 +0000
Subject: Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
Authentication-results: sourceware.org; auth=none
References: <5627D1F7 dot 8030908 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1510212023070 dot 7778 at digraph dot polyomino dot org dot uk> <5627FA90 dot 6080609 at redhat dot com>

On Wed, 21 Oct 2015, Carlos O'Donell wrote:

> > Rather than the suggested NEWS section I'd rather say that each bug with a 
> > CVE gets its own entry in the NEWS file (in addition to the general list 
> > of fixed bugs) and that those entries credit the reporter.
> 
> Would you be OK if we expanded this to all security+ bugs get their own
> NEWS entry and that those entries credit the reporter?

I suppose so, though some security+ bugs are pretty obscure.

> While we would like all security+ bugs to have a CVE it isn't a hard and
> fast requirement right now, and in some cases we might not get a CVE for
> certain bugs, but might still want to mark them security+ and mention
> them as security bugs in the release NEWS.

I think we had consensus for Florian to assign CVEs for public security 
bugs as per <https://sourceware.org/ml/libc-alpha/2015-10/msg00034.html> 
(though I don't know how much work such an assignment is per bug, or how 
many of the current security+ bugs - 97 including closed bugs; 13 open; 13 
open bugs have security? and 64 open bugs have no security flag set either 
way - have them).

-- 
Joseph S. Myers
joseph@codesourcery.com

Follow-Ups:
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Carlos O'Donell
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Florian Weimer

References:
- Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Carlos O'Donell
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Joseph Myers
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]