This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Policy for posting security bug reports?


On 6/23/2012 12:29 PM, Paul Eggert wrote:
> On 06/23/2012 06:55 AM, Petr Baudis wrote:
> 
>>   I'd like to ask people familiar what other GNU projects, what is the
>> policy there? E.g. for gcc, binutils (probably not too many security
>> bugs in these two), coreutils, ...?
> 
> I report serious stuff privately, so that the first notice of
> a bug is a patch installed into the master copy.
> 
> People are also welcome to report bugs via more-formal
> approaches, e.g., the U.S. Computer Emergency Readiness Team
> <http://www.kb.cert.org/vuls/html/report-a-vulnerability/>.
> There is a formal channel between US-CERT and the GNU C
> library developers.  It used to see some activity, but
> the hotline hasn't rung for quite some time, presumably
> since nothing has been important enough.
> 
> As for deciding how important a bug is, I normally try to
> use common sense, but if one wants to be more systematic
> about it triage tools are available.  See
> <http://www.cert.org/blogs/certcc/2012/04/cert_triage_tools_10.html>
> for a brief discussion.  (I've never used these.)
> 

Paul,

Could you please document the "formal channel" 
with CERT under MAINTAINERS in the wiki?

Feel free to add a "Liasons" section.

I didn't know such a channel existed.

Cheers,
Carlos.
-- 
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]