On 8/8/23 13:46, David Edelsohn wrote: > I believe that upstream projects for components that are imported > into GCC should be responsible for their security policy, including > libgo, gofrontend, libsanitizer (other than local patches), zlib, > libtool, libphobos, libcody, libffi, eventually Rust libcore, etc.
I agree completely. We can reference the upstream and direct people to follow upstream security policy for these bundled components. Any other policy risks having conflicting guidance between the projects, which is not useful for security policy. There might be exceptions to this rule, particularly when the downstream wants to accept particular risks while upstream does not; but none of these components are in that case IMO. -- Cheers, Carlos.
