This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On Mon, May 19, 2014 at 08:46:16AM +0100, Will Newton wrote: > This doesn't seem to be the case. I am not sure of the > political/economic motivations behind creating CVEs but it seems the > onus is on the bug reporter/fixer to request a CVE on the oss-security > list. AFAIK for embargoed bugs, distribution maintainers sync up and release a fix for the bug together before making the issue public. For bugs that are already public, security folks on the distribution teams request a CVE on oss-security. > In my opinion it would be useful if the glibc project had some > kind of security person or team which could make sure any security > bugs are identified and CVEs requested. The MAINTAINERS page has information on this. https://sourceware.org/glibc/wiki/MAINTAINERS#Contacting_maintainers If you have a live exploit or a potential exploit, stick to private communication with a subset of maintainers till you arrive at a fix. The subset of maintainers should include the senior folks so that the potential fix gets early review. > It would also be useful to do the backports to stable branches of the > security fix, but at the moment it seems every vendor has their own > stable branch. Yes, nobody is using the point releases right now, so there is no real incentive in maintaining those branches. This is true for bug fixes in general, not just security fixes. Siddhesh
Attachment:
pgpdS8tcAwbOP.pgp
Description: PGP signature
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |