This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- From: Joseph Myers <joseph at codesourcery dot com>
- To: Carlos O'Donell <carlos at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, Florian Weimer <fweimer at redhat dot com>, Aurelien Jarno <aurelien at aurel32 dot net>, Mike Frysinger <vapier at gentoo dot org>, Allan McRae <allan at archlinux dot org>, Siddhesh Poyarekar <sid at reserved-bit dot com>, Andreas Schwab <schwab at suse dot de>, "Dmitry V. Levin" <ldv at altlinux dot org>, Khem Raj <raj dot khem at gmail dot com>, Adam Conrad <adconrad at 0c3 dot net>
- Date: Wed, 21 Oct 2015 21:05:25 +0000
- Subject: Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- Authentication-results: sourceware.org; auth=none
- References: <5627D1F7 dot 8030908 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1510212023070 dot 7778 at digraph dot polyomino dot org dot uk> <5627FA90 dot 6080609 at redhat dot com>
On Wed, 21 Oct 2015, Carlos O'Donell wrote:
> > Rather than the suggested NEWS section I'd rather say that each bug with a
> > CVE gets its own entry in the NEWS file (in addition to the general list
> > of fixed bugs) and that those entries credit the reporter.
>
> Would you be OK if we expanded this to all security+ bugs get their own
> NEWS entry and that those entries credit the reporter?
I suppose so, though some security+ bugs are pretty obscure.
> While we would like all security+ bugs to have a CVE it isn't a hard and
> fast requirement right now, and in some cases we might not get a CVE for
> certain bugs, but might still want to mark them security+ and mention
> them as security bugs in the release NEWS.
I think we had consensus for Florian to assign CVEs for public security
bugs as per <https://sourceware.org/ml/libc-alpha/2015-10/msg00034.html>
(though I don't know how much work such an assignment is per bug, or how
many of the current security+ bugs - 97 including closed bugs; 13 open; 13
open bugs have security? and 64 open bugs have no security flag set either
way - have them).
--
Joseph S. Myers
joseph@codesourcery.com