This is the mail archive of the
mailing list for the glibc project.
Re: Community feedback on EU-FOSSA2 program.
On 2/4/19 2:44 PM, Florian Weimer wrote:
> * Carlos O'Donell:
>> On 2/4/19 11:12 AM, Florian Weimer wrote:
>>> I do *not* plan to participate on the Intigriti platform and review
>>> issues before they are passed on to distribution security teams, under
>>> our documented security process:
>>> <https://sourceware.org/glibc/wiki/Security Process>
>> I want to make sure that this statement is not misinterpreted by others,
>> so I'm going to ask some very specific questions, and please feel free
>> to answer only those questions you want to answer. As a volunteer your
>> choices are your own, and you don't have to justify them. We appreciate
>> all of your contributions.
>> (a) Did you make the choice not to participate on the Intigriti platform
>> and review issues because of actions taken by the GNU C Library
>> (b) Was there anything the stewards could have done better which would
>> have changed your mind and allowed you to participate?
> Sorry for phrasing this so poorly. First of all, I want to stress that
> I was talking about participation *on the Intigriti platform*. This has
> nothing to do with vulnerability handling for the glibc project in
> general, which I will continue to do as long as the community lets me.
> Unless the glibc community takes different steps (in which I do not plan
> to be involved, but see below), I expect that vulnerabilities reported
> through Intigriti will be handled through the usual security process,
> that is, by contacting one of the designated GNU/Linux distributions
> mentioned on the wiki. Therefore, eventually, the process will still
> involve myself.
> The behavior of the stewards has nothing to do with my decision. It is
> the result of contrasting Intigriti's recommendations on the call last
> week with what I think are Red Hat's policies applicable to this matter.
> I do not want to obtain the necessary waivers on Red Hat's part; I think
> my time would be better spent on other tasks (such as patch review).
> Therefore, I did not even have to consider my personal views related to
> bug bounty programs.
> If you disagree and you want me to engage with Intrigiti in my
> professional capacity, this is something we should discuss off-list.
Thank you for clarifying! Everything you say sounds perfectly reasonable.