unofficial mirror of libc-alpha@sourceware.org
 help / color / mirror / Atom feed
From: Carlos O'Donell <carlos@redhat.com>
To: libc-alpha <libc-alpha@sourceware.org>
Subject: The glibc security team and conflicts of interest --- documenting expectations.
Date: Tue, 16 Apr 2024 10:21:51 -0400	[thread overview]
Message-ID: <3b0af8d4-1c7d-4f36-acff-999a668ecc40@redhat.com> (raw)

I have been actively documenting the glibc security team response process here:
https://sourceware.org/glibc/wiki/CNA/Response

This is part of the broader umbrella of CNA documentation for the project:
https://sourceware.org/glibc/wiki/CNA

I am trying to document the obligations of the security team and the process
to follow here in order to make the process repeatable, high quality, and avoid
subtle conflicts of interest.

For example the worst conflict of interest for me occurs when I take a CVE
patch developed by the glibc security team, in collaboration with the reporter,
and copy it downstream into Fedora or RHEL and prepare a release to be ready
for the disclosure date. This represents IMO a misuse of my privilege as part
of the glibc security team. The appropriate solution is to post the patch to
linux-distros first, and then once all the distro teams have the patch, copy
the patch downstream. This ensures that everyone in the community has a copy
of the fix as provided by the upstream glibc security team.

I would like there to be some kind of firewall between the glibc security
team and downstream, but I know and realize that this is not often possible
so the best I can do is document my expectation with each different hat on
that I wear.

Please have a look at the current response document and feel free to provide
feedback on the topic.

-- 
Cheers,
Carlos.


                 reply	other threads:[~2024-04-16 14:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/libc/involved.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3b0af8d4-1c7d-4f36-acff-999a668ecc40@redhat.com \
    --to=carlos@redhat.com \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).