This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Streamlining CVE assignment for glibc
- From: Florian Weimer <fweimer at redhat dot com>
- To: Roland McGrath <roland at hack dot frob dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 2 Oct 2015 22:08:36 +0200
- Subject: Re: Streamlining CVE assignment for glibc
- Authentication-results: sourceware.org; auth=none
- References: <560E423D dot 1020106 at redhat dot com> <20151002180644 dot 171C62C3B6D at topped-with-meat dot com> <560EC9DE dot 6050606 at redhat dot com> <20151002182932 dot 6ACE32C3B6D at topped-with-meat dot com>
On 10/02/2015 08:29 PM, Roland McGrath wrote:
> Just make sure it explains everything about CVEs and our processes related
> to them that glibc hackers might need to know.
If you don't care for CVE for other reasons, you can ignore it.
As far as the security process is concerned, *please* mark security bugs
as security+ in Bugzilla. Similarly, when reviewing patches and you
think you are looking at a bug fix which addresses a security
vulnerability without being recognized as such, please speak up.
A significant fraction of important security bugs started as
non-security bugs and were recognized as security-relevant only after
fixing them. Which is both a good (we are fixing relevant bugs) and bad
(downstreams will miss opportunities to bundle security fixes with other
changes).
Florian