This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Joseph Myers <joseph at codesourcery dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, Florian Weimer <fweimer at redhat dot com>, Aurelien Jarno <aurelien at aurel32 dot net>, Mike Frysinger <vapier at gentoo dot org>, Allan McRae <allan at archlinux dot org>, Siddhesh Poyarekar <sid at reserved-bit dot com>, Andreas Schwab <schwab at suse dot de>, "Dmitry V. Levin" <ldv at altlinux dot org>, Khem Raj <raj dot khem at gmail dot com>, Adam Conrad <adconrad at 0c3 dot net>
- Date: Wed, 21 Oct 2015 23:03:48 -0400
- Subject: Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- Authentication-results: sourceware.org; auth=none
- References: <5627D1F7 dot 8030908 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1510212023070 dot 7778 at digraph dot polyomino dot org dot uk> <5627FA90 dot 6080609 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1510212056540 dot 7778 at digraph dot polyomino dot org dot uk>
On 10/21/2015 05:05 PM, Joseph Myers wrote:
> On Wed, 21 Oct 2015, Carlos O'Donell wrote:
>
>>> Rather than the suggested NEWS section I'd rather say that each bug with a
>>> CVE gets its own entry in the NEWS file (in addition to the general list
>>> of fixed bugs) and that those entries credit the reporter.
>>
>> Would you be OK if we expanded this to all security+ bugs get their own
>> NEWS entry and that those entries credit the reporter?
>
> I suppose so, though some security+ bugs are pretty obscure.
Thanks.
>> While we would like all security+ bugs to have a CVE it isn't a hard and
>> fast requirement right now, and in some cases we might not get a CVE for
>> certain bugs, but might still want to mark them security+ and mention
>> them as security bugs in the release NEWS.
>
> I think we had consensus for Florian to assign CVEs for public security
> bugs as per <https://sourceware.org/ml/libc-alpha/2015-10/msg00034.html>
> (though I don't know how much work such an assignment is per bug, or how
> many of the current security+ bugs - 97 including closed bugs; 13 open; 13
> open bugs have security? and 64 open bugs have no security flag set either
> way - have them).
We do have consensus that CVEs should be assigned to public security bugs,
but that is a process beyond the control of this community. For simple reasons
of autonomy I'd like the process to flow naturally from flags we have in bugzilla.
Thus security+ triggers a NEWS entry and the creation of a CVE. We can always
adjust NEWS when the CVE is assigned.
Cheers,
Carlos.
- References:
- Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.