Message ID | 20230222171920.113859-1-carlos@redhat.com |
---|---|
State | New |
Headers | show |
Series | Provide a SECURITY.md for glibc. | expand |
* Carlos O'Donell:
> Upstrem scanners will look for a SECURITY.md to determine if the
What's an “upstream scanner”? How do these scanners discover Sourceware
Git repositories?
Thanks,
Florian
On 2/23/23 06:44, Florian Weimer wrote: > * Carlos O'Donell: > >> Upstrem scanners will look for a SECURITY.md to determine if the > > What's an “upstream scanner”? How do these scanners discover Sourceware > Git repositories? (1) What is an upstream scanner? Typo s/Upstrem/Upstream/g. When I wrote "Upstream scanners" I meant tooling being used by projects to scan the set of dependencies on the project to see if they met a given security policy. Such a security policy might be: "All projects included in a product must have a security reporting policy." (2) How do these scanners discover Sourceware Git repositories? They don't. Either the scanners scan a tarball or... Either glibc forks in gitlab and github are used by other projects and those respositories are scanned by scanners that look at github sources. There are 1000+ repositories in github with glibc in the name, mostly forks for specific projects. Github itself can be configured with a security policy around this topic: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository It would therefore be useful to make sure that for projects including glibc to be able to determine, easily, how to submit security issues. Does that answer your questions?
On 2023-02-23 14:15, Carlos O'Donell via Libc-alpha wrote: > Github itself can be configured with a security policy around this topic: > https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository Maybe this should be noted in the git commit log for posterity. Thanks, Sid
On 2023-03-27 09:18, Siddhesh Poyarekar wrote: > On 2023-02-23 14:15, Carlos O'Donell via Libc-alpha wrote: >> Github itself can be configured with a security policy around this topic: >> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository > > Maybe this should be noted in the git commit log for posterity. Also, I wonder if it makes sense to move all of that content off the wiki and into the SECURITY.md. Thanks, Sid
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..579df63a7b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,4 @@ +# Security Process + +For the GNU C Library please use the following documented security process: +[Security Process](https://sourceware.org/glibc/wiki/Security%20Process).