This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Policy for posting security bug reports?


On 6/25/2012 4:05 PM, Russ Allbery wrote:
> Carlos O'Donell <carlos_odonell@mentor.com> writes:
> 
>> (b) Where possible the policy should use already established official
>> channels for security issue reporting. For example reporting the issue
>> with CERT is IMO the best way forward.  The GNU Libc project and the
>> distributions can have liaisons with CERT, and receive early warnings
>> from them in private.
> 
> I would recommend having a security bug reporting channel specific to GNU
> libc and not ask everyone with a possible security bug to report it to
> CERT.  For one, CERT may not be particularly quick, and for another,
> you're often going to need to triage these bugs with domain expertise.  A
> lot of things that people think are security bugs actually aren't, and
> you'll want to make a quick judgement about severity.  This is much easier
> if the person is talking with you directly.
> 
> CERT is good for publicizing security vulnerabilities once they've been
> patched, but they're not as good as an initial reporting mechanism.
> 
> Having a few maintainers who have widely-available GnuPG keys in the
> well-connected web of trust and who are willing to get private email about
> issues and do something appropriate with them would probably be
> sufficient.

Russ,

Thanks for your feedback. Is this recommendation based on your experience
in working with CERT?

>> * Contact the distribution contact listed on the MAINTAINERS
>>   page for every distribution affected by the issue.
> 
> A lot of packages that deal with a lot of security issues have a private
> mailing list that's used by the maintainers to reach all of those people
> at once.  (Some of them even do it via GnuPG-encrypted mail.)  I don't
> know if GNU libc has enough security bug reports to warrant doing
> something like that.
> 

One easy point of contact is the newly appointed release manager
for the branch currently in development. That person could then pull
in the appropriate people.

Cheers,
Carlos.
-- 
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]