This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- From: Joseph Myers <joseph at codesourcery dot com>
- To: Carlos O'Donell <carlos at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, Florian Weimer <fweimer at redhat dot com>, Aurelien Jarno <aurelien at aurel32 dot net>, Mike Frysinger <vapier at gentoo dot org>, Allan McRae <allan at archlinux dot org>, Siddhesh Poyarekar <sid at reserved-bit dot com>, Andreas Schwab <schwab at suse dot de>, "Dmitry V. Levin" <ldv at altlinux dot org>, Khem Raj <raj dot khem at gmail dot com>, Adam Conrad <adconrad at 0c3 dot net>
- Date: Wed, 21 Oct 2015 20:28:04 +0000
- Subject: Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- Authentication-results: sourceware.org; auth=none
- References: <5627D1F7 dot 8030908 at redhat dot com>
On Wed, 21 Oct 2015, Carlos O'Donell wrote:
> I have suggested that we add an attribution section to the NEWS
> for each release to thank those people who report bugs via the
> security process and for which those bugs are fixed in the release.
> This suggestion is now in the Committers checklist[4].
To be clear: "via the security process" includes the normal case of
non-critical bugs that are reported in Bugzilla, with the security nature
of the issue being noted in the bug filed (as opposed to reporting
somewhere outside Bugzilla, or not mentioning that the bug could be a
security issue when reporting in Bugzilla)? We don't want to encourage
unnecessary private reporting.
Rather than the suggested NEWS section I'd rather say that each bug with a
CVE gets its own entry in the NEWS file (in addition to the general list
of fixed bugs) and that those entries credit the reporter.
--
Joseph S. Myers
joseph@codesourcery.com