[PATCH v2 0/2] Add MAINTAINERS and SECURITY files

[PATCH v2 0/2] Add MAINTAINERS and SECURITY files

[Daniel Kiper]

Hey,

I want to add MAINTAINERS and SECURITY files to the GRUB source code before
2.06 release. The former says basic things about the project including who
is who. The latter describes SECURITY process for the GRUB.

Daniel

 MAINTAINERS | 35 +++++++++++++++++++++++++++++++++++
 README      |  6 ++++++
 SECURITY    | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+)

Daniel Kiper (2):
      MAINTAINERS: Add MAINTAINERS file
      SECURITY: Add SECURITY file

[PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file

[Daniel Kiper]

The MAINTAINERS file provides basic information about the GRUB project
and its maintainers.

Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
v2 - suggestions/fixes:
   - mention the MAINTAINERS file in the README file
     (suggested by Paul Menzel),
   - s/http/https/
     (suggested by Paul Menzel).
---
 MAINTAINERS | 31 +++++++++++++++++++++++++++++++
 README      |  2 ++
 2 files changed, 33 insertions(+)
 create mode 100644 MAINTAINERS

diff --git a/MAINTAINERS b/MAINTAINERS
new file mode 100644
index 000000000..9eff2b8ab
--- /dev/null
+++ b/MAINTAINERS
@@ -0,0 +1,31 @@
+List of current GRUB maintainers and some basic information about the project
+=============================================================================
+
+Here is the list of current GRUB maintainers:
+  - Daniel Kiper <daniel.kiper@oracle.com> and <dkiper@net-space.pl>,
+  - Alex Burmashev <alexander.burmashev@oracle.com>,
+  - Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>.
+
+The maintainers drive and overlook the GRUB development.
+
+The GRUB development happens on the grub-devel mailing list [1]. The latest
+GRUB source code is available at Savannah git repository [2].
+
+Users can ask for help on the help-grub mailing list [3].
+
+
+List of past GRUB maintainers and people who strongly contributed to the project
+================================================================================
+
+Here is the list, sorted alphabetically, of past GRUB maintainers and people who
+strongly contributed to the project:
+  - Andrei Borzenkov,
+  - Bryan Ford,
+  - Erich Stefan Boleyn,
+  - Gordon Matzigkeit,
+  - Yoshinori K. Okuji.
+
+
+[1] https://lists.gnu.org/mailman/listinfo/grub-devel
+[2] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
+[3] https://lists.gnu.org/mailman/listinfo/help-grub
diff --git a/README b/README
index 685b01657..b1aa79723 100644
--- a/README
+++ b/README
@@ -7,6 +7,8 @@ See the file NEWS for a description of recent changes to GRUB 2.
 See the file INSTALL for instructions on how to build and install the
 GRUB 2 data and program files.
 
+See the file MAINTAINERS for information about the GRUB maintainers, etc.
+
 Please visit the official web page of GRUB 2, for more information.
 The URL is <http://www.gnu.org/software/grub/grub.html>.
 
-- 
2.11.0

[PATCH v2 2/2] SECURITY: Add SECURITY file

[Daniel Kiper]

The SECURITY file describes the GRUB project security policy.

It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md

Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
v2 - suggestions/fixes:
   - mention the SECURITY file in the README file
     (suggested by Paul Menzel),
   - improve some wording in the SECURITY file
     (suggested by Paul Menzel).
---
 MAINTAINERS |  4 ++++
 README      |  4 ++++
 SECURITY    | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 SECURITY

diff --git a/MAINTAINERS b/MAINTAINERS
index 9eff2b8ab..45e870c78 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8,6 +8,10 @@ Here is the list of current GRUB maintainers:
 
 The maintainers drive and overlook the GRUB development.
 
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 The GRUB development happens on the grub-devel mailing list [1]. The latest
 GRUB source code is available at Savannah git repository [2].
 
diff --git a/README b/README
index b1aa79723..49ce15ea3 100644
--- a/README
+++ b/README
@@ -9,6 +9,10 @@ GRUB 2 data and program files.
 
 See the file MAINTAINERS for information about the GRUB maintainers, etc.
 
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 Please visit the official web page of GRUB 2, for more information.
 The URL is <http://www.gnu.org/software/grub/grub.html>.
 
diff --git a/SECURITY b/SECURITY
new file mode 100644
index 000000000..2d2267858
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,60 @@
+Security Policy
+===============
+
+To report a vulnerability see "Reporting a Vulnerability" below.
+
+
+Security Incident Policy
+========================
+
+Security bug reports are treated with special attention and are handled
+differently from normal bugs. In particular, security sensitive bugs are not
+handled in public but in private. Information about the bug and access to it
+is restricted to people in the security group, the individual engineers that
+work on fixing it, and any other person who needs to be involved for organisational
+reasons. The process is handled by the security team, which decides on the people
+involved in order to fix the issue. It is also guaranteed that the person reporting
+the issue has visibility into the process of fixing it. Any security issue gets
+prioritized according to its security rating. The issue is opened up to the public
+in coordination with the release schedule and the reporter.
+
+
+Disclosure Policy
+=================
+
+Everyone involved in the handling of a security issue - including the reporter -
+is required to adhere to the following policy. Any information related to
+a security issue must be treated as confidential and only shared with trusted
+partners if necessary, for example to coordinate a release or manage exposure
+of clients to the issue. No information must be disclosed to the public before
+the embargo ends. The embargo time is agreed upon by all involved parties. It
+should be as short as possible without putting any users at risk.
+
+
+Supported Versions
+==================
+
+Only the most recent version of the GRUB is supported.
+
+While there's currently no bug bounty program we appreciate every report.
+
+
+Reporting a Vulnerability
+=========================
+
+The security report should be encrypted with the PGP keys and send to ALL email
+addresses listed below. Every vulnerability report will be assessed within
+72 hours of receiving it. If the outcome of the assessment is that the report
+describes a security issue, the report will be transferred into an issue on the
+internal vulnerability project for further processing. The reporter is updated
+on each step of the process.
+
+* Contact: Daniel Kiper <daniel.kiper@oracle.com> and
+           Daniel Kiper <dkiper@net-space.pl>
+* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166
+
+* Contact: Alex Burmashev <alexander.burmashev@oracle.com>
+* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E
+
+* Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
+* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4  D1E8 35A9 3B74 E82E 4209
-- 
2.11.0

Re: [PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file

[Paul Menzel]

Dear Daniel,


Am 07.06.21 um 20:07 schrieb Daniel Kiper:
> The MAINTAINERS file provides basic information about the GRUB project
> and its maintainers.
> 
> Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
> Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
> ---
> v2 - suggestions/fixes:
>     - mention the MAINTAINERS file in the README file
>       (suggested by Paul Menzel),
>     - s/http/https/
>       (suggested by Paul Menzel).
> ---
>   MAINTAINERS | 31 +++++++++++++++++++++++++++++++
>   README      |  2 ++
>   2 files changed, 33 insertions(+)
>   create mode 100644 MAINTAINERS
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> new file mode 100644
> index 000000000..9eff2b8ab
> --- /dev/null
> +++ b/MAINTAINERS
> @@ -0,0 +1,31 @@
> +List of current GRUB maintainers and some basic information about the project
> +=============================================================================
> +
> +Here is the list of current GRUB maintainers:
> +  - Daniel Kiper <daniel.kiper@oracle.com> and <dkiper@net-space.pl>,
> +  - Alex Burmashev <alexander.burmashev@oracle.com>,
> +  - Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>.
> +
> +The maintainers drive and overlook the GRUB development.
> +
> +The GRUB development happens on the grub-devel mailing list [1]. The latest
> +GRUB source code is available at Savannah git repository [2].
> +
> +Users can ask for help on the help-grub mailing list [3].
> +
> +
> +List of past GRUB maintainers and people who strongly contributed to the project
> +================================================================================
> +
> +Here is the list, sorted alphabetically, of past GRUB maintainers and people who
> +strongly contributed to the project:
> +  - Andrei Borzenkov,
> +  - Bryan Ford,
> +  - Erich Stefan Boleyn,
> +  - Gordon Matzigkeit,
> +  - Yoshinori K. Okuji.
> +
> +
> +[1] https://lists.gnu.org/mailman/listinfo/grub-devel
> +[2] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
> +[3] https://lists.gnu.org/mailman/listinfo/help-grub
> diff --git a/README b/README
> index 685b01657..b1aa79723 100644
> --- a/README
> +++ b/README
> @@ -7,6 +7,8 @@ See the file NEWS for a description of recent changes to GRUB 2.
>   See the file INSTALL for instructions on how to build and install the
>   GRUB 2 data and program files.
>   
> +See the file MAINTAINERS for information about the GRUB maintainers, etc.
> +

I still think, it’s a little confusing to have the information about the 
list and the source code URL in the file `MAINTAINERS`.

>   Please visit the official web page of GRUB 2, for more information.
>   The URL is <http://www.gnu.org/software/grub/grub.html>.
>   

Otherwise this looks good.


Kind regards,

Paul

Re: [PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file

[Daniel Kiper]

Hi Paul,

On Mon, Jun 07, 2021 at 09:54:22PM +0200, Paul Menzel wrote:
> Dear Daniel,
>
> Am 07.06.21 um 20:07 schrieb Daniel Kiper:
> > The MAINTAINERS file provides basic information about the GRUB project
> > and its maintainers.
> >
> > Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
> > Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
> > Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
> > ---
> > v2 - suggestions/fixes:
> >     - mention the MAINTAINERS file in the README file
> >       (suggested by Paul Menzel),
> >     - s/http/https/
> >       (suggested by Paul Menzel).
> > ---
> >   MAINTAINERS | 31 +++++++++++++++++++++++++++++++
> >   README      |  2 ++
> >   2 files changed, 33 insertions(+)
> >   create mode 100644 MAINTAINERS
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > new file mode 100644
> > index 000000000..9eff2b8ab
> > --- /dev/null
> > +++ b/MAINTAINERS
> > @@ -0,0 +1,31 @@
> > +List of current GRUB maintainers and some basic information about the project
> > +=============================================================================
> > +
> > +Here is the list of current GRUB maintainers:
> > +  - Daniel Kiper <daniel.kiper@oracle.com> and <dkiper@net-space.pl>,
> > +  - Alex Burmashev <alexander.burmashev@oracle.com>,
> > +  - Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>.
> > +
> > +The maintainers drive and overlook the GRUB development.
> > +
> > +The GRUB development happens on the grub-devel mailing list [1]. The latest
> > +GRUB source code is available at Savannah git repository [2].
> > +
> > +Users can ask for help on the help-grub mailing list [3].
> > +
> > +
> > +List of past GRUB maintainers and people who strongly contributed to the project
> > +================================================================================
> > +
> > +Here is the list, sorted alphabetically, of past GRUB maintainers and people who
> > +strongly contributed to the project:
> > +  - Andrei Borzenkov,
> > +  - Bryan Ford,
> > +  - Erich Stefan Boleyn,
> > +  - Gordon Matzigkeit,
> > +  - Yoshinori K. Okuji.
> > +
> > +
> > +[1] https://lists.gnu.org/mailman/listinfo/grub-devel
> > +[2] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
> > +[3] https://lists.gnu.org/mailman/listinfo/help-grub
> > diff --git a/README b/README
> > index 685b01657..b1aa79723 100644
> > --- a/README
> > +++ b/README
> > @@ -7,6 +7,8 @@ See the file NEWS for a description of recent changes to GRUB 2.
> >   See the file INSTALL for instructions on how to build and install the
> >   GRUB 2 data and program files.
> > +See the file MAINTAINERS for information about the GRUB maintainers, etc.
> > +
>
> I still think, it’s a little confusing to have the information about the
> list and the source code URL in the file `MAINTAINERS`.

Yeah, I agree it is not perfect but I do not want to delay the GRUB
release any longer. We can polish it up after the release...

> >   Please visit the official web page of GRUB 2, for more information.
> >   The URL is <http://www.gnu.org/software/grub/grub.html>.
>
> Otherwise this looks good.

Great! Thank you for your comments.

Daniel