This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Hector Marco-Gisbert <hecmargi at upv dot es>, Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>
- Cc: Ismael Ripoll Ripoll <iripoll at upv dot es>
- Date: Wed, 21 Oct 2015 22:55:59 -0400
- Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- Authentication-results: sourceware.org; auth=none
- References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es> <56162CD0 dot 4070902 at redhat dot com> <5618710F dot 6060406 at redhat dot com> <56210EF1 dot 9030801 at upv dot es> <56211681 dot 20200 at redhat dot com> <56257BD8 dot 2010004 at redhat dot com> <5627732F dot 5090106 at upv dot es>
On 10/21/2015 07:12 AM, Hector Marco-Gisbert wrote:
>> I think this is slightly different from the notion you are used to
>> in the realm of security where the discovery of the vulnerability
>> is widely credited to some single source.
>>
>> Regardless of the security impact of the bug the patch and the idea
>> came from Hector.
>>
>> You should do either multi-author if the code is based on Hector's
>> patch:
>>
>> 2013-09-23 Hector Marco <hecmargi@upv.es> Ismael Ripoll
>> <iripoll@disca.upv.es> Carlos O'Donell <carlos@redhat.com>
>>
>> ...
>>
>> or you should thank Hector for the bug report via `Reported by`:
>>
>> 2008-05-21 Ulrich Drepper <drepper@redhat.com>
>>
>> * locales/iso14651_t1_common: Remove U0C0D entry added for Telugu.
>> Reported by Pravin Satpute.
>>
>> This has nothing to do with the security relevant attribution.
>
> Obviously we agree with Carlos, in fact the Linux Kernel development
> follows somewhat similar to what Carlos explains.
>
> We think that a good handling of credits can make a difference in the
> community that help to support the project. Moving the credits to a
> third party (outside of the source code tree) jeopardize the
> responsibility or authorship because it is harder to track it.
>
> Avoiding the use of "Reported by" or add "multi-author" forces to
> anyone who wants to track the issue to go to the external party,
> analyze the issue entry and figure out if the contribution is a bug
> report (Reported by), patch contribution (multi-author) or whatever.
Ultimately it is up to the committer for the project to make the
decision if they feel that multi-author or reported by is the context
appropriate form to use.
Florian did nothing wrong and I do not wish to impinge on his autonomy
as a project developer. My goal was to clarify that security bug
attributions are distinct from code-level attributions.
Regarding security issues I have proposed some changes to help
clarify when the project will provide attribution and how:
https://www.sourceware.org/ml/libc-alpha/2015-10/msg00768.html
Cheers,
Carlos.