Git Mailing List Archive on lore.kernel.org
 help / color / Atom feed
From: "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Denton Liu <liu.denton@gmail.com>,
	Bagas Sanjaya <bagasdotme@gmail.com>,
	Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: [PATCH v2 0/2] Describe Git's security policy
Date: Mon, 29 Mar 2021 13:43:02 +0000
Message-ID: <pull.917.v2.git.1617025385.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.917.git.1616796767.gitgitgadget@gmail.com>

On GitHub, SECURITY.md files are the recommended way to describe how to
report vulnerabilities, and to set expectations how far back maintenance
tracks are updated with security bug fixes.

For example, when navigating to https://github.com/git/git/security/ users
would be guided to that SECURITY.md file. If it exists.

The purpose of this patch series is to add this file, describing Git's
security policy.

While at it, I also want to document the process how to coordinate the
ensuing embargoed releases. This is what the second patch is all about.

The reason for that is quite selfish, as I did two of them, and while I am
happy that such embargoed releases do not happen all that often, the
downside is that I keep forgetting all the details. So this document is not
only meant for knowledge sharing, but in particular to help me the next
time(s) I coordinate an embargoed release.

Many thanks to Junio who reviewed the first draft of this patch series
(where I had not yet separated out
Documentation/howto/coordinate-embargoed-releases.txt).

Changes since v1:

 * Fixed typo

Johannes Schindelin (2):
  SECURITY: describe how to report vulnerabilities
  Document how we do embargoed releases

 Documentation/Makefile                        |   1 +
 .../howto/coordinate-embargoed-releases.txt   | 131 ++++++++++++++++++
 SECURITY.md                                   |  51 +++++++
 3 files changed, 183 insertions(+)
 create mode 100644 Documentation/howto/coordinate-embargoed-releases.txt
 create mode 100644 SECURITY.md


base-commit: e6362826a0409539642a5738db61827e5978e2e4
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-917%2Fdscho%2Fsecurity-policy-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-917/dscho/security-policy-v2
Pull-Request: https://github.com/gitgitgadget/git/pull/917

Range-diff vs v1:

 1:  2c9f5725d96f ! 1:  3f5d866de195 SECURITY: describe how to report vulnerabilities
     @@ SECURITY.md (new)
      +- Ideally a short description (or a script) to demonstrate an
      +  exploit.
      +- The affected platforms and scenarios (the vulnerability might
     -+  only affect setups with case-sensitiv file systems, for
     ++  only affect setups with case-sensitive file systems, for
      +  example).
      +- The name and affiliation of the security researchers who are
      +  involved in the discovery, if any.
 2:  41efaaf62864 = 2:  565d7982d870 Document how we do embargoed releases

-- 
gitgitgadget

  parent reply index

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-26 22:12 [PATCH " Johannes Schindelin via GitGitGadget
2021-03-26 22:12 ` [PATCH 1/2] SECURITY: describe how to report vulnerabilities Johannes Schindelin via GitGitGadget
2021-03-27  0:00   ` Denton Liu
2021-03-29 13:37     ` Johannes Schindelin
2021-03-27  6:34   ` Bagas Sanjaya
2021-03-29 13:41     ` Johannes Schindelin
2021-03-26 22:12 ` [PATCH 2/2] Document how we do embargoed releases Johannes Schindelin via GitGitGadget
2021-03-29 13:43 ` Johannes Schindelin via GitGitGadget [this message]
2021-03-29 13:43   ` [PATCH v2 1/2] SECURITY: describe how to report vulnerabilities Johannes Schindelin via GitGitGadget
2021-03-29 13:43   ` [PATCH v2 2/2] Document how we do embargoed releases Johannes Schindelin via GitGitGadget
2021-04-20 19:50     ` [PATCH v2 2/2] Document how we do embargoed releases - improving mail template Robin H. Johnson
2021-04-20 21:51       ` Junio C Hamano
2021-04-20 22:45         ` Robin H. Johnson
2021-04-20 23:34           ` Junio C Hamano
2021-04-20 23:31         ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=pull.917.v2.git.1617025385.gitgitgadget@gmail.com \
    --to=gitgitgadget@gmail.com \
    --cc=bagasdotme@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=johannes.schindelin@gmx.de \
    --cc=liu.denton@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Mailing List Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/git/0 git/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 git git/ https://lore.kernel.org/git \
		git@vger.kernel.org
	public-inbox-index git

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.git


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git