This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Policy for posting security bug reports?
On 6/25/2012 4:05 PM, Russ Allbery wrote:
> Carlos O'Donell <carlos_odonell@mentor.com> writes:
>
>> (b) Where possible the policy should use already established official
>> channels for security issue reporting. For example reporting the issue
>> with CERT is IMO the best way forward. The GNU Libc project and the
>> distributions can have liaisons with CERT, and receive early warnings
>> from them in private.
>
> I would recommend having a security bug reporting channel specific to GNU
> libc and not ask everyone with a possible security bug to report it to
> CERT. For one, CERT may not be particularly quick, and for another,
> you're often going to need to triage these bugs with domain expertise. A
> lot of things that people think are security bugs actually aren't, and
> you'll want to make a quick judgement about severity. This is much easier
> if the person is talking with you directly.
>
> CERT is good for publicizing security vulnerabilities once they've been
> patched, but they're not as good as an initial reporting mechanism.
>
> Having a few maintainers who have widely-available GnuPG keys in the
> well-connected web of trust and who are willing to get private email about
> issues and do something appropriate with them would probably be
> sufficient.
Russ,
Thanks for your feedback. Is this recommendation based on your experience
in working with CERT?
>> * Contact the distribution contact listed on the MAINTAINERS
>> page for every distribution affected by the issue.
>
> A lot of packages that deal with a lot of security issues have a private
> mailing list that's used by the maintainers to reach all of those people
> at once. (Some of them even do it via GnuPG-encrypted mail.) I don't
> know if GNU libc has enough security bug reports to warrant doing
> something like that.
>
One easy point of contact is the newly appointed release manager
for the branch currently in development. That person could then pull
in the appropriate people.
Cheers,
Carlos.
--
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026