From patchwork Wed Jul  2 16:07:54 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Siddhesh Poyarekar <siddhesh@gotplt.org>
X-Patchwork-Id: 115465
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id BECB73852768
	for <patchwork@sourceware.org>; Wed,  2 Jul 2025 16:08:52 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BECB73852768
Authentication-Results: sourceware.org;
	dkim=pass (2048-bit key,
 unprotected) header.d=gotplt.org header.i=@gotplt.org header.a=rsa-sha256
 header.s=dreamhost header.b=C9g6dOSg
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from bird.elm.relay.mailchannels.net
 (bird.elm.relay.mailchannels.net [23.83.212.17])
 by sourceware.org (Postfix) with ESMTPS id 215713852FC0
 for <libc-alpha@sourceware.org>; Wed,  2 Jul 2025 16:08:11 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 215713852FC0
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 215713852FC0
Authentication-Results: server2.sourceware.org;
 arc=pass smtp.remote-ip=23.83.212.17
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1751472491; cv=pass;
 b=Fnx0MEzZuViJCvxysP3Ip1pTk4vMQXDzOGREYWuxDB+dAPpfMB3y1bGbTTV8I6liNl0aVE2ssImnC9xY/EJ/rrP+5hjIkdyJ9OAyzLFcsZuyhE2ZU9jFJtdvRuUW3yvPFsLkMIMzqjXXO2B2e7lMJ4P0UYfQeFn3B13SY6k5+Dg=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
 t=1751472491; c=relaxed/simple;
 bh=OtKdSvECwui6Jouvx4c1m5ocF9vtoTJhD6Om3eVLGnY=;
 h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
 b=bkc0wTR8tdHd+jy8JZcKZ2Kv75UaeQXjIaIBuJ6h+687VaG+VTsSZx4Q3x2LIGQH5Jv1+G9xhJ5zIxFdJWBL4vQToG1GZBjgfofcBDLcWrGosR4d08TjPTRLPuXO7BYLG7rYLn/9xmWS86itbOUwKnhdyyf7MeIFIjsdGAy2pcQ=
ARC-Authentication-Results: i=2; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 215713852FC0
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 2E24084E0C;
 Wed,  2 Jul 2025 16:08:10 +0000 (UTC)
Received: from pdx1-sub0-mail-a210.dreamhost.com
 (100-105-113-44.trex-nlb.outbound.svc.cluster.local [100.105.113.44])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id B67B484D3D;
 Wed,  2 Jul 2025 16:08:09 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1751472489; a=rsa-sha256;
 cv=none;
 b=WXYmWEzSEoxAfrjABn1uD0RpxQBIpsUTuqgLrjoMa/EdhmOHAovvslQxpuRifYO9oHz0IR
 hdpunpIH20h09cXqFFD+2H+X4HY0Qcy6mMQlUsY3kwRf+Bpl7oDqp/S5o9hBstwQgmqQ4S
 mV37YfGE7IvlzvO5hqaMMjPq2I8Rk163KLNaxhCSZMYeWrsQHtT+aOQuYFRQx1Gls+Anpq
 9DPS+QYPHS6+syoz8zOBFUvuEizSfEY9U6Y9HJgKI1Knw0zwxlG2c+pzV72cCANyEWosjY
 3BbG66qXAaxa0JvFA7O/bP+DyXxFNiKNASoAWXJzYNkfXYAEK4ItnLBacnKFbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net; s=arc-2022; t=1751472489;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references:dkim-signature;
 bh=nDg2WKzPGQVH1pYzLtjo07mwbENmyIAmXs8hDcJgFSQ=;
 b=GKyUmFXpW+AIAg0Lg7MlFvRPlezkQ7aRa52Cuxz2jgsRKhxOffW91EvgbGAZelo8CKhFTL
 whrKnNL6bYZEujidmQ+RRKCqHPuyEFNLcJLLcAV1oM2quq9oL4dgnI2BDY7fmAMxrld2Ix
 tYgWQyaEAZe5CbFyUz3GSC8IsGUsumIJrVlngRTglXZTwiMhzRM8TpWDZHiEDgcB/lbzdQ
 8A1LYY/7vx9iVOiPugV4BS4d7tTafpDmmRLk4bw2rXNZl83AJgCoxhhCq4O5p2blJQ6gXQ
 Hi51UShJrpstLomXvp7IwKayQEzmgn1QBThJdBEeJ35jHZAkQxE8mEEOBBEsYA==
ARC-Authentication-Results: i=1; rspamd-679c59f89-7kvjp;
 auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Shrill-Broad: 6419749238642b0c_1751472489975_4285045259
X-MC-Loop-Signature: 1751472489975:2990522671
X-MC-Ingress-Time: 1751472489975
Received: from pdx1-sub0-mail-a210.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.105.113.44 (trex/7.1.3); Wed, 02 Jul 2025 16:08:09 +0000
Received: from fedora.redhat.com (unknown [38.23.181.90])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a210.dreamhost.com (Postfix) with ESMTPSA id 4bXPvC2sFbzGv;
 Wed,  2 Jul 2025 09:08:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
 s=dreamhost; t=1751472487;
 bh=nDg2WKzPGQVH1pYzLtjo07mwbENmyIAmXs8hDcJgFSQ=;
 h=From:To:Cc:Subject:Date:Content-Transfer-Encoding;
 b=C9g6dOSgmHQQrCxypM/D3+Jw2bpHjQWsBtCduowFpU7QcBL2dSxRjjwOD9eHguNtq
 wvEYDU/U++dAfHmg3BnnzW6f5CO3ZE5phd+74fLA28hN1UGhBkhdgUK9OJl8hCah/H
 p06F7xw7W7Zxdvd4H3mEYxp/XHMg2wC1gEqFTjTrq03JmL76QZC1YuG2s9NPT1wVDb
 aDKC7ezWPj4cvnEMAR/CxCN3ksWMB2gVXycXIHcKor91Lef2o3VrAUW3IkA7VzIn5g
 vDEe4eesXhDrGKjLx/XU11/H5vmjAKsqQLiSXoLfZC/Wg9x1sriZBQQNPueJAydOmA
 HwTpPfBv9FDUw==
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: libc-alpha@sourceware.org
Cc: fweimer@redhat.com
Subject: [PATCH] Reword statement about filing private security issues
Date: Wed,  2 Jul 2025 12:07:54 -0400
Message-ID: <20250702160754.257872-1-siddhesh@gotplt.org>
X-Mailer: git-send-email 2.50.0
In-Reply-To: <87ms9tq6lw.fsf@mid.deneb.enyo.de>
References: <87ms9tq6lw.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
X-Spam-Status: No, score=-3035.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, RCVD_IN_VALIDITY_RPBL_BLOCKED,
 RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

I'll commit this shortly, hopefully it reflects what you suggested.  The
trailing '/' was a typo :)

Thanks,
Sid

--->8---

The "file a private bug" in the context of that paragraph can be
misleading, so reword it to make it clear that one needs to privately
email the glibc CNA to file a security issue.

Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
---
 security.html | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security.html b/security.html
index 9916098..dc22ce6 100644
--- a/security.html
+++ b/security.html
@@ -82,12 +82,12 @@ network or can be used for local privilege escalation (through existing
 applications, not synthetic test cases) should be reported privately. We
 expect that such critical security bugs are rare, and that most security
 bugs can be reported in Bugzilla, thus making them public immediately.
-If in doubt, you can file a private bug.
-/<p>
+If in doubt, report the issue privately, as indicated below.
+</p>
 
 <p>
-If you want to report a <u>private</u> security bug, please contact the
-security team at
+If you want to report a <u>private</u> security issue, please contact
+the security team at
 <a href="glibc-cna@sourceware.org">glibc-cna@sourceware.org</a>. If you
 would like to encrypt communication about the security issue, you may
 use the <a href="#keys">GPG keys</a> of the security team members and