<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:HelveticaNeue;
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:24.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:791747219;
mso-list-template-ids:1408426836;}
@list l1
{mso-list-id:849760563;
mso-list-template-ids:-1697451514;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1282372078;
mso-list-template-ids:446741990;}
@list l3
{mso-list-id:1444230121;
mso-list-template-ids:1003790288;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="FR" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi JF,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks for putting up this proposal.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Regarding your question, which I answer both as an individual and with an Arm hat:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">><span style="color:black"> Should we create a security group and process?</span><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Yes ! We believe it's good to have such a group and a process. It may not be perfect for everyone, but that's way better than nothing, and the current proposal has the necessary bits to evolve and
adapt over time to the actual needs.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> Do you agree with the goals listed in the proposal?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Yes !</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> At a high-level, what do you think should be done differently, and what do you think is exactly right in the draft proposal?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Dealing with security vulnerabilities is often a bit of a mess, done under time pressure, so having a “safe” place to quickly iterate / coordinate amongst interested parties and taking into account
upstream LLVM is necessary.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">We like that the role of this group is to deal / coordinate security-related issues, not to define an overall security roadmap for LLVM --- this should happen in the open using the standard communication
channels.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">We think this group could work on proof of concept fixes or act as a proxy in case the work is done externally, providing (pre-)reviews to ensure the fixes are at the expected LLVM quality level, but
the actual code reviews for committing LLVM upstream should be conducted using the standard community process (i.e. no special channel / fast lane for committing).</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> Our approach to this issue:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 1. Are you an LLVM contributor (individual or representing a company)?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">I respond here both as an individual contributor and also on behalf of my employer, Arm.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 2. Are you involved with security aspects of LLVM (if so, which)?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">I'm involved with security aspects in general, and have occasionally been involved in some LLVM specific aspects of security.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 3. Do you maintain significant downstream LLVM changes?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Yes we do, and a number of other companies using Arm also have downstream changes they maintain.
</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 4. Do you package and deploy LLVM for others to use (if so, to how many people)?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">In our case, the situation is not as simple as "package & deploy".</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">As a company, we care that all Arm users get the security fixes, wether this is thru software (tools or libraries) directly or indirectly shipped by Arm, or thru their own tool / library provider, or thru the vanilla
open source channel.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 5. Is your LLVM distribution based on the open-source releases?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">We don't, but I'm sure there are distributions / users relying on the open-source releases.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">We thus believe it's important that backports are made and shared whenever possible.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 6. How often do you usually deploy LLVM?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">We usually have about half a dozen releases a year, but then our downstream users have their own constraints / agenda. This will of course be different for other people providing Arm tools & libraries.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 7. How fast can you deploy an update?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">On our end, we usually need about 4 weeks, and our downstream users have their own constraints / agenda. This will of course be different for other people providing Arm tools & libraries.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">> 8.Does your LLVM distribution handle untrusted inputs, and what kind?<br>
> 9. What’s the threat model for your LLVM distribution?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Given our large user base and usage models, answering this precisely now and here is impossible.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Kind regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Arnaud<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">llvm-dev <llvm-dev-bounces@lists.llvm.org> on behalf of JF Bastien via llvm-dev <llvm-dev@lists.llvm.org><br>
<b>Reply to: </b>JF Bastien <jfbastien@apple.com><br>
<b>Date: </b>Saturday 16 November 2019 at 17:23<br>
<b>To: </b>llvm-dev <llvm-dev@lists.llvm.org><br>
<b>Subject: </b>[llvm-dev] [RFC] LLVM Security Group and Process<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<h1 style="caret-color: rgb(0, 0, 0)"><span style="font-size:9.0pt;font-family:HelveticaNeue;color:black;font-weight:normal">Hello compiler enthusiasts,</span><span style="color:black"><o:p></o:p></span></h1>
<div>
<p class="MsoNormal"><span style="font-family:HelveticaNeue;color:black"><br>
<br>
<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:HelveticaNeue;color:black">The Apple LLVM team would like to propose that a new a security process and an associated private LLVM Security Group be created under the umbrella of the LLVM project.<br>
<br>
A draft proposal for how we could organize such a group and what its process could be is </span><a href="https://reviews.llvm.org/D70326">available on Phabricator</a><span style="font-family:HelveticaNeue;color:black">. The proposal starts with a list of goals
for the process and Security Group, repeated here:<br>
<br>
The LLVM Security Group has the following goals:<br style="caret-color: rgb(0, 0, 0)">
<br>
</span><o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:HelveticaNeue">Allow LLVM contributors and security researchers to disclose security-related issues affecting the LLVM project to members of the LLVM community.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:HelveticaNeue">Organize fixes, code reviews, and release management for said issues.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:HelveticaNeue">Allow distributors time to investigate and deploy fixes before wide dissemination of vulnerabilities or mitigation shortcomings.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:HelveticaNeue">Ensure timely notification and release to vendors who package and distribute LLVM-based toolchains and projects.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:HelveticaNeue">Ensure timely notification to users of LLVM-based toolchains whose compiled code is security-sensitive, through <a href="https://cve.mitre.org/">the CVE process</a>.</span><o:p></o:p></li></ol>
<p class="MsoNormal"><span style="font-family:HelveticaNeue;color:black"><br>
We’re looking for answers to the following questions:<br style="caret-color: rgb(0, 0, 0)">
<br>
</span><o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo2">
<u><span style="font-family:HelveticaNeue">On this list</span></u><span style="font-family:HelveticaNeue">: Should we create a security group and process?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo2">
<u><span style="font-family:HelveticaNeue">On this list</span></u><span style="font-family:HelveticaNeue">: Do you agree with the goals listed in the proposal?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo2">
<u><span style="font-family:HelveticaNeue">On this list</span></u><span style="font-family:HelveticaNeue">: at a high-level, what do you think should be done differently, and what do you think is exactly right in the draft proposal?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo2">
<u><span style="font-family:HelveticaNeue">On the Phabricator code review</span></u><span style="font-family:HelveticaNeue">: going into specific details, what do you think should be done differently, and what do you think is exactly right in the draft proposal?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo2">
<u><span style="font-family:HelveticaNeue">On this list</span></u><span style="font-family:HelveticaNeue">: to help understand where you’re coming from with your feedback, it would be helpful to state how you personally approach this issue:</span><o:p></o:p></li><ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">Are you an LLVM contributor (individual or representing a company)?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">Are you involved with security aspects of LLVM (if so, which)?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">Do you maintain significant downstream LLVM changes?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">Do you package and deploy LLVM for others to use (if so, to how many people)?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">Is your LLVM distribution based on the open-source releases?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">How often do you usually deploy LLVM?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">How fast can you deploy an update?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">Does your LLVM distribution handle untrusted inputs, and what kind?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo2">
<span style="font-family:HelveticaNeue">What’s the threat model for your LLVM distribution?</span><o:p></o:p></li></ol>
</ol>
<p class="MsoNormal"><span style="font-family:HelveticaNeue;color:black"><br>
Other open-source projects have security-related groups and processes. They structure their group very differently from one another. This proposal borrows from some of these projects’ processes. A few examples:<br style="caret-color: rgb(0, 0, 0)">
<br>
</span><o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<a href="https://webkit.org/security-policy/"><span style="font-family:HelveticaNeue">https://webkit.org/security-policy/</span></a><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<a href="https://chromium.googlesource.com/chromium/src/+/lkgr/docs/security/faq.md"><span style="font-family:HelveticaNeue">https://chromium.googlesource.com/chromium/src/+/lkgr/docs/security/faq.md</span></a><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<a href="https://wiki.mozilla.org/Security"><span style="font-family:HelveticaNeue">https://wiki.mozilla.org/Security</span></a><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<a href="https://www.openbsd.org/security.html"><span style="font-family:HelveticaNeue">https://www.openbsd.org/security.html</span></a><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<a href="https://security-team.debian.org/security_tracker.html"><span style="font-family:HelveticaNeue">https://security-team.debian.org/security_tracker.html</span></a><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<a href="https://www.python.org/news/security/"><span style="font-family:HelveticaNeue">https://www.python.org/news/security/</span></a><o:p></o:p></li></ul>
<p class="MsoNormal"><span style="font-family:HelveticaNeue;color:black">When providing feedback, it would be great to hear if you’ve dealt with these or other projects’ processes, what works well, and what can be done better.<br>
<br>
<br>
I’ll go first in answering my own questions above:<br style="caret-color: rgb(0, 0, 0)">
<br>
</span><o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span style="font-family:HelveticaNeue">Yes! We should create a security group and process.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span style="font-family:HelveticaNeue">We agree with the goals listed.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span style="font-family:HelveticaNeue">We think the proposal is exactly right, but would like to hear the community’s opinions.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span style="font-family:HelveticaNeue">Here’s how we approach the security of LLVM:</span><o:p></o:p></li><ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">I contribute to LLVM as an Apple employee.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">I’ve been involved in a variety of LLVM security issues, from automatic variable initialization to security-related diagnostics, as well as deploying these mitigations to internal codebases.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">We maintain significant downstream changes.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">We package and deploy LLVM, both internally and externally, for a variety of purposes, including the clang, Swift, and mobile GPU shader compilers.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">Our LLVM distribution is not directly derived from the open-source release. In all cases, all non-upstream public patches for our releases are available in repository branches at <a href="https://github.com/apple">https://github.com/apple</a>.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">We have many deployments of LLVM whose release schedules vary significantly. The LLVM build deployed as part of Xcode historically has one major release per year, followed by roughly one minor release every 2 months.
Other releases of LLVM are also security-sensitive and don’t follow the same schedule.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">This depends on which release of LLVM is affected.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">Yes, our distribution sometimes handles untrusted input.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo4">
<span style="font-family:HelveticaNeue">The threat model is highly variable depending on the particular language front-ends being considered.</span><o:p></o:p></li></ol>
</ol>
<p class="MsoNormal"><span style="font-family:HelveticaNeue;color:black">Apple is involved with a variety of open-source projects and their disclosures. For example, we frequently work with the WebKit community to handle security issues through their process.<br>
<br>
<br>
Thanks,<br>
<br>
JF</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:HelveticaNeue;color:black"><br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</body>
</html>