This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Policy for posting security bug reports?
On 6/23/2012 12:29 PM, Paul Eggert wrote:
> On 06/23/2012 06:55 AM, Petr Baudis wrote:
>
>> I'd like to ask people familiar what other GNU projects, what is the
>> policy there? E.g. for gcc, binutils (probably not too many security
>> bugs in these two), coreutils, ...?
>
> I report serious stuff privately, so that the first notice of
> a bug is a patch installed into the master copy.
>
> People are also welcome to report bugs via more-formal
> approaches, e.g., the U.S. Computer Emergency Readiness Team
> <http://www.kb.cert.org/vuls/html/report-a-vulnerability/>.
> There is a formal channel between US-CERT and the GNU C
> library developers. It used to see some activity, but
> the hotline hasn't rung for quite some time, presumably
> since nothing has been important enough.
>
> As for deciding how important a bug is, I normally try to
> use common sense, but if one wants to be more systematic
> about it triage tools are available. See
> <http://www.cert.org/blogs/certcc/2012/04/cert_triage_tools_10.html>
> for a brief discussion. (I've never used these.)
>
Paul,
Could you please document the "formal channel"
with CERT under MAINTAINERS in the wiki?
Feel free to add a "Liasons" section.
I didn't know such a channel existed.
Cheers,
Carlos.
--
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026