| Message ID | 20230222171920.113859-1-carlos@redhat.com |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id A06BA3858428 for <patchwork@sourceware.org>; Wed, 22 Feb 2023 17:20:33 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A06BA3858428 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1677086433; bh=xnxUehvXbIZrAl5yyBpHth3Vh8IAeUx8Lwk7NeX6p64=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=jayb0amTCNbNxD+5FbJLLdLpbuhaa4L9jr5+Qye4itaZnUDRk4R740jcDzQgiMDmx FO0hH3yopAuEcGlmEfKieif7MpI3ZQJwYbYp0j4VDrl445cz/Gv6yMmrI2zQEcgUa1 NirkSTVdmLHxI+yLsYe/JKaNi0O0VmyV5zMQN/DM= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 70F553857C45 for <libc-alpha@sourceware.org>; Wed, 22 Feb 2023 17:20:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 70F553857C45 Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-224--EKWzeIOOB6PBTDmxAUEbA-1; Wed, 22 Feb 2023 12:20:05 -0500 X-MC-Unique: -EKWzeIOOB6PBTDmxAUEbA-1 Received: by mail-io1-f69.google.com with SMTP id d25-20020a0566022bf900b00745469852cfso4233318ioy.19 for <libc-alpha@sourceware.org>; Wed, 22 Feb 2023 09:20:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xnxUehvXbIZrAl5yyBpHth3Vh8IAeUx8Lwk7NeX6p64=; b=3O/VlFapPB+Yhb6NPkZ6VZ80UfOUR6O2y8vT5ka3aoQgnBOOlbnV/T129TrgnZ5UZ4 BjI7Ll8u5NgqXLy1J4/nmbJzYw7n/dlEG4Pj3Q2p5l7Fmu2XptClcrXhgEIF0DPio4Ip wW1yjBuaiyNmJNmqHlvT+1AYQ4/qNDzLtCX8mQpafY46GkP3KEZ+b17xjy/eArHswoou 6alCFsvLQWgydQZK6rwnPdNCrXJkUR+l4DTpi8kMiV8ThW2wgt7misOiNcHyOFPkgshc F9xuzNguG6reVOSd1jpjt1sAYD10h9hY05VFmKvHzx8SUOPWNehUrZTTPOoWiTUCHHGh QFHw== X-Gm-Message-State: AO0yUKV1oVGTpEYUQr10uG2UzK4LQlDtGWBUWE/rweR+kbjPONNTeWY+ lfHoSh5wzMkta7c30kX6J4tBgv3oUa9FNDHkPoix2HM8PXfTwFqnJ04rexPxnuli1jjUSLN7s4U VapwcS35E4scWexVUy1gj6KUQCaD+uAoVqUDwFWQXRXP5G9UK9M62MdgVxtc8DSTVfCDYYVNOlr M= X-Received: by 2002:a92:7410:0:b0:314:54:4e5c with SMTP id p16-20020a927410000000b0031400544e5cmr8299501ilc.8.1677086404092; Wed, 22 Feb 2023 09:20:04 -0800 (PST) X-Google-Smtp-Source: AK7set8u2jYiMlpsjr0R9pZ9061ThB0lv2qZrK2OVVTudIBSlKTvY0w3trRXDfPhJXcl2I32pqVsmQ== X-Received: by 2002:a92:7410:0:b0:314:54:4e5c with SMTP id p16-20020a927410000000b0031400544e5cmr8299480ilc.8.1677086403737; Wed, 22 Feb 2023 09:20:03 -0800 (PST) Received: from athas.localdomain ([198.48.244.52]) by smtp.gmail.com with ESMTPSA id h28-20020a02cd3c000000b003ddd7af4bcesm1861761jaq.15.2023.02.22.09.20.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Feb 2023 09:20:03 -0800 (PST) To: libc-alpha@sourceware.org, fweimer@redhat.com Cc: Carlos O'Donell <carlos@redhat.com> Subject: [PATCH] Provide a SECURITY.md for glibc. Date: Wed, 22 Feb 2023 12:19:20 -0500 Message-Id: <20230222171920.113859-1-carlos@redhat.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-10.1 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, MEDICAL_SUBJECT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> From: Carlos O'Donell via Libc-alpha <libc-alpha@sourceware.org> Reply-To: Carlos O'Donell <carlos@redhat.com> Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> |
| Series |
Provide a SECURITY.md for glibc.
|
|
Checks
| Context | Check | Description |
|---|---|---|
| dj/TryBot-apply_patch | success | Patch applied to master at the time it was sent |
| dj/TryBot-32bit | success | Build for i686 |
Commit Message
Carlos O'Donell
Feb. 22, 2023, 5:19 p.m. UTC
Upstrem scanners will look for a SECURITY.md to determine if the project has a security process. In 2014 glibc adopted a public security process that we document on the wiki here: https://sourceware.org/glibc/wiki/Security%20Process This creates a SECURITY.md file that points directly at the security process in the wiki and indicates that glibc has a policy. --- SECURITY.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 SECURITY.md
Comments
* Carlos O'Donell:
> Upstrem scanners will look for a SECURITY.md to determine if the
What's an “upstream scanner”? How do these scanners discover Sourceware
Git repositories?
Thanks,
Florian
On 2/23/23 06:44, Florian Weimer wrote: > * Carlos O'Donell: > >> Upstrem scanners will look for a SECURITY.md to determine if the > > What's an “upstream scanner”? How do these scanners discover Sourceware > Git repositories? (1) What is an upstream scanner? Typo s/Upstrem/Upstream/g. When I wrote "Upstream scanners" I meant tooling being used by projects to scan the set of dependencies on the project to see if they met a given security policy. Such a security policy might be: "All projects included in a product must have a security reporting policy." (2) How do these scanners discover Sourceware Git repositories? They don't. Either the scanners scan a tarball or... Either glibc forks in gitlab and github are used by other projects and those respositories are scanned by scanners that look at github sources. There are 1000+ repositories in github with glibc in the name, mostly forks for specific projects. Github itself can be configured with a security policy around this topic: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository It would therefore be useful to make sure that for projects including glibc to be able to determine, easily, how to submit security issues. Does that answer your questions?
On 2023-02-23 14:15, Carlos O'Donell via Libc-alpha wrote: > Github itself can be configured with a security policy around this topic: > https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository Maybe this should be noted in the git commit log for posterity. Thanks, Sid
On 2023-03-27 09:18, Siddhesh Poyarekar wrote: > On 2023-02-23 14:15, Carlos O'Donell via Libc-alpha wrote: >> Github itself can be configured with a security policy around this topic: >> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository > > Maybe this should be noted in the git commit log for posterity. Also, I wonder if it makes sense to move all of that content off the wiki and into the SECURITY.md. Thanks, Sid
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..579df63a7b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,4 @@ +# Security Process + +For the GNU C Library please use the following documented security process: +[Security Process](https://sourceware.org/glibc/wiki/Security%20Process).