This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- From: Hector Marco-Gisbert <hecmargi at upv dot es>
- To: "Carlos O'Donell" <carlos at redhat dot com>, Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>
- Cc: Ismael Ripoll Ripoll <iripoll at upv dot es>
- Date: Tue, 10 Nov 2015 11:33:34 +0100
- Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- Authentication-results: sourceware.org; auth=none
- References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es> <56162CD0 dot 4070902 at redhat dot com> <5618710F dot 6060406 at redhat dot com> <56210EF1 dot 9030801 at upv dot es> <56211681 dot 20200 at redhat dot com> <56257BD8 dot 2010004 at redhat dot com> <5627732F dot 5090106 at upv dot es> <5628503F dot 9050903 at redhat dot com>
El 22/10/15 a las 04:55, Carlos O'Donell escribió:
On 10/21/2015 07:12 AM, Hector Marco-Gisbert wrote:
I think this is slightly different from the notion you are used to
in the realm of security where the discovery of the vulnerability
is widely credited to some single source.
Regardless of the security impact of the bug the patch and the idea
came from Hector.
You should do either multi-author if the code is based on Hector's
patch:
2013-09-23 Hector Marco <hecmargi@upv.es> Ismael Ripoll
<iripoll@disca.upv.es> Carlos O'Donell <carlos@redhat.com>
...
or you should thank Hector for the bug report via `Reported by`:
2008-05-21 Ulrich Drepper <drepper@redhat.com>
* locales/iso14651_t1_common: Remove U0C0D entry added for Telugu.
Reported by Pravin Satpute.
This has nothing to do with the security relevant attribution.
Obviously we agree with Carlos, in fact the Linux Kernel development
follows somewhat similar to what Carlos explains.
We think that a good handling of credits can make a difference in the
community that help to support the project. Moving the credits to a
third party (outside of the source code tree) jeopardize the
responsibility or authorship because it is harder to track it.
Avoiding the use of "Reported by" or add "multi-author" forces to
anyone who wants to track the issue to go to the external party,
analyze the issue entry and figure out if the contribution is a bug
report (Reported by), patch contribution (multi-author) or whatever.
Ultimately it is up to the committer for the project to make the
decision if they feel that multi-author or reported by is the context
appropriate form to use.
Florian did nothing wrong and I do not wish to impinge on his autonomy
as a project developer. My goal was to clarify that security bug
attributions are distinct from code-level attributions.
Regarding security issues I have proposed some changes to help
clarify when the project will provide attribution and how:
https://www.sourceware.org/ml/libc-alpha/2015-10/msg00768.html
Cheers,
Carlos.
Sorry for the delayed response (I defended my PhD. last week).
I think it is a great idea, this kind of initiatives will encourage people to
make contributions.
Would it be possible to update the corresponding files to reflect our contribution ?
Cheers,
Hector.
--
Hector Marco-Gisbert @ http://hmarco.org/
Cyber Security Researcher @ http://cybersecurity.upv.es
Universitat Politècnica de València (Spain)