This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.



El 20/10/15 a las 01:25, Carlos O'Donell escribió:

On 10/16/2015 11:23 AM, Florian Weimer wrote:

On 10/16/2015 04:51 PM, Hector Marco-Gisbert wrote:

Hello all,

It would be nice if our names (Hector Marco and Ismael Ripoll) appear in
the Changelog. At least showing that we reported the security issue.

Previously reported security issues (i.e BZ #15754) were properly
credited in the Glibc Changelog.


In my opinion, this was a mistake, we should credit only reporters which
follow the established disclosure procedures.

If you found a vulnerability which is sufficiently significant, in your
opinion, to deserve credits and a CVE identifier, you should make at
least one attempt to report it privately first.  We do not want to keep
things secret, but the pain of CVE assignment *after* public disclosure
means that we currently need private vulnerability reports to arrange
for CVE assignment.


I think this is slightly different from the notion you are used to in
the realm of security where the discovery of the vulnerability is widely
credited to some single source.

Regardless of the security impact of the bug the patch and the idea came
from Hector.

You should do either multi-author if the code is based on Hector's patch:

2013-09-23  Hector Marco  <hecmargi@upv.es>
             Ismael Ripoll  <iripoll@disca.upv.es>
             Carlos O'Donell  <carlos@redhat.com>

	...

or you should thank Hector for the bug report via `Reported by`:

2008-05-21  Ulrich Drepper  <drepper@redhat.com>

         * locales/iso14651_t1_common: Remove U0C0D entry added for Telugu.
         Reported by Pravin Satpute.

This has nothing to do with the security relevant attribution.

Cheers,
Carlos.
Obviously we agree with Carlos, in fact the Linux Kernel development follows somewhat similar to what Carlos explains.
We think that a good handling of credits can make a difference in the community that help to support the project. Moving the credits to a third party (outside of the source code tree) jeopardize the responsibility or authorship because it is harder to track it.
Avoiding the use of "Reported by" or add "multi-author" forces to anyone who wants to track the issue to go to the external party, analyze the issue entry and figure out if the contribution is a bug report (Reported by), patch contribution (multi-author) or whatever. 


Regards,
Hector & Ismael.

--
Hector Marco-Gisbert @ http://hmarco.org/
Cyber Security Researcher @ http://cybersecurity.upv.es
Universitat Politècnica de València (Spain)
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]