Carlos O'Donell

@zackw @njsmith Do you think is it possible, given that we're building libcrypt.so.2 (from libxcrypt) for the manylinux* containers, that we build libcrypt.so.1 (compat version again from libxcrypt) and use...

As an upstream glibc steward I support @siddhesh's suggestion to use `pkg:gnu/glibc` for the url.

Just out of curiosity, as an upstream glibc developer, glibc security team member, and glibc CNA member... what is your plan to address CVEs under the SLA required for FedRAMP?...

@eric-desrochers You aren't missing anything. There are 4 reserved CVEs that are public (not under embargo) for which we're about to publish advisories. You can see them here: [CVE-2024-33599, CVE-2024-33600,...

@eric-desrochers The really pertinent question for me, and the reason I commented on this ticket is to determine if the information is *valuable* and *useful* to you. Are you able...