This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
El 20/10/15 a las 01:25, Carlos O'Donell escribió:
On 10/16/2015 11:23 AM, Florian Weimer wrote:On 10/16/2015 04:51 PM, Hector Marco-Gisbert wrote:Hello all, It would be nice if our names (Hector Marco and Ismael Ripoll) appear in the Changelog. At least showing that we reported the security issue. Previously reported security issues (i.e BZ #15754) were properly credited in the Glibc Changelog.In my opinion, this was a mistake, we should credit only reporters which follow the established disclosure procedures. If you found a vulnerability which is sufficiently significant, in your opinion, to deserve credits and a CVE identifier, you should make at least one attempt to report it privately first. We do not want to keep things secret, but the pain of CVE assignment *after* public disclosure means that we currently need private vulnerability reports to arrange for CVE assignment.I think this is slightly different from the notion you are used to in the realm of security where the discovery of the vulnerability is widely credited to some single source. Regardless of the security impact of the bug the patch and the idea came from Hector. You should do either multi-author if the code is based on Hector's patch: 2013-09-23 Hector Marco <hecmargi@upv.es> Ismael Ripoll <iripoll@disca.upv.es> Carlos O'Donell <carlos@redhat.com> ... or you should thank Hector for the bug report via `Reported by`: 2008-05-21 Ulrich Drepper <drepper@redhat.com> * locales/iso14651_t1_common: Remove U0C0D entry added for Telugu. Reported by Pravin Satpute. This has nothing to do with the security relevant attribution. Cheers, Carlos.
Obviously we agree with Carlos, in fact the Linux Kernel development follows somewhat similar to what Carlos explains.
We think that a good handling of credits can make a difference in the community that help to support the project. Moving the credits to a third party (outside of the source code tree) jeopardize the responsibility or authorship because it is harder to track it.
Avoiding the use of "Reported by" or add "multi-author" forces to anyone who wants to track the issue to go to the external party, analyze the issue entry and figure out if the contribution is a bug report (Reported by), patch contribution (multi-author) or whatever.
Regards, Hector & Ismael. -- Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain)
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |