Re: Resources for glibc CNA

cti-tac.lists.linuxfoundation.org archive mirror
 help / color / mirror / Atom feed

From: Carlos O'Donell <carlos@redhat.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>,
	Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
	David Edelsohn <dje.gcc@gmail.com>
Cc: cti-tac@lists.linuxfoundation.org
Subject: Re: Resources for glibc CNA
Date: Fri, 11 Aug 2023 12:49:20 -0400	[thread overview]
Message-ID: <059d464d-4975-8362-e60d-36bdabc0a304@redhat.com> (raw)
In-Reply-To: <69b52888-bc8e-d98e-a588-16f12939a9b5@gotplt.org>

On 8/11/23 11:28, Siddhesh Poyarekar wrote:
> On 2023-08-10 17:33, Carlos O'Donell wrote:
>> I don't have a strong opinion here, but I would rather start
>> *simple* and _then_ scale up to remail only if we need it. If we
>> can just use gpg/pgp then I would prefer that.
> 
> Maybe we could start with a regular, private mailing list and publish
> keys of some security team members to give reporters the option to
> use them if they need to encrypt their communication.  Team members
> that get contacted may need to act as pigeons between the mailing
> list and the reporter though.  We could start like this and see how
> quickly this gets painful.  I don't like the idea of sharing a subkey
> among multiple people :/

I don't like sharing any keys either.

I think we would publish the keys of the current group and update that as people
leave and join the group.
 
>> I agree we need to settle on the domain name, and I would also pick
>> "toolchain.dev" since we want to use that for other CTI projects,
>> and a landing page like "advisories.toolchain.dev" would be fine.
> 
> [bikeshed] security.toolchain.dev because we'll need a security
> policy page too, even if it just means pointing to or replicating the
> contents of our SECURITY.md.

Sure. Blue shed is fine with me.

>>>>> For the publication, I usually strongly advise a simple
>>>>> static site that can withstand very high traffic. I believe
>>>>> there is general consensus that "toolchain.dev" is the domain
>>>>> to be used for CTI purposes, so something could be published
>>>>> on advisories.toolchain.dev or similar.
>>>> 
>>>> Ack, a static site would be perfect, perhaps with markdown
>>>> pages and git access, similar to our plan for the wiki.
>>> 
>>> Another option is a restricted public advisories mailing list
>>> with a public-inbox frontend (similar to lore.kernel.org). This
>>> would provide you with both pull-based and push-based
>>> subscription options.
>> 
>> I like the static site backed by git better because it allows us to
>> do all kinds of git-based auditing and review. I get the appeal of
>> a mailing list, but I'd still end up committing something 
>> somewhere, and then sending an email via an API. Might as well just
>> commit and regenerate the pages.
>> 
> 
> ... and git allows us to edit advisories too.  In fact, all of
> security.toolchain.dev could just be a repo with:

Agreed 100% on a repo with md files or rst to publish with sphinx and readthedocs.

-- 
Cheers,
Carlos.

     prev parent reply	other threads:[~2023-08-11 16:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-10 17:17 Resources for glibc CNA Siddhesh Poyarekar
2023-08-10 18:15 ` Konstantin Ryabitsev
2023-08-10 18:25   ` Siddhesh Poyarekar
2023-08-10 18:41     ` Konstantin Ryabitsev
2023-08-10 21:33       ` Carlos O'Donell
2023-08-11 15:28         ` Siddhesh Poyarekar
2023-08-11 16:49           ` Carlos O'Donell [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=059d464d-4975-8362-e60d-36bdabc0a304@redhat.com \
    --to=carlos@redhat.com \
    --cc=cti-tac@lists.linuxfoundation.org \
    --cc=dje.gcc@gmail.com \
    --cc=konstantin@linuxfoundation.org \
    --cc=siddhesh@gotplt.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).