This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Community feedback on EU-FOSSA2 program.


* Carlos O'Donell:

> On 2/4/19 11:12 AM, Florian Weimer wrote:
>> I do *not* plan to participate on the Intigriti platform and review
>> issues before they are passed on to distribution security teams, under
>> our documented security process:
>> 
>>   <https://sourceware.org/glibc/wiki/Security Process>
>
> I want to make sure that this statement is not misinterpreted by others,
> so I'm going to ask some very specific questions, and please feel free
> to answer only those questions you want to answer. As a volunteer your
> choices are your own, and you don't have to justify them. We appreciate
> all of your contributions.
>
> (a) Did you make the choice not to participate on the Intigriti platform
>     and review issues because of actions taken by the GNU C Library
>     maintainers?
>
> (b) Was there anything the stewards could have done better which would
>     have changed your mind and allowed you to participate?

Sorry for phrasing this so poorly.  First of all, I want to stress that
I was talking about participation *on the Intigriti platform*.  This has
nothing to do with vulnerability handling for the glibc project in
general, which I will continue to do as long as the community lets me.
Unless the glibc community takes different steps (in which I do not plan
to be involved, but see below), I expect that vulnerabilities reported
through Intigriti will be handled through the usual security process,
that is, by contacting one of the designated GNU/Linux distributions
mentioned on the wiki.  Therefore, eventually, the process will still
involve myself.

The behavior of the stewards has nothing to do with my decision.  It is
the result of contrasting Intigriti's recommendations on the call last
week with what I think are Red Hat's policies applicable to this matter.
I do not want to obtain the necessary waivers on Red Hat's part; I think
my time would be better spent on other tasks (such as patch review).
Therefore, I did not even have to consider my personal views related to
bug bounty programs.

If you disagree and you want me to engage with Intrigiti in my
professional capacity, this is something we should discuss off-list.

Thanks,
Florian


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]