* Start using github security advisories @ 2021-10-13 20:56 Joseph Reynolds 2021-10-14 19:12 ` Andrew Geissler 0 siblings, 1 reply; 10+ messages in thread From: Joseph Reynolds @ 2021-10-13 20:56 UTC (permalink / raw) To: openbmc, Andrew Geissler Per today's Security working group meeting, we want to start using [GitHub security advisories][]. I think we need someone with admin permissions to github.com/openbmc/openbmc to create new advisories. Then we'll want a group (team? perhaps security-response-team) with the current OpenBMC [security response team][] members. (I have that list.) How do we get started? Who has admin authority? Joseph [GitHub security advisories]: https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories [security response team]: https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-13 20:56 Start using github security advisories Joseph Reynolds @ 2021-10-14 19:12 ` Andrew Geissler 2021-10-18 18:49 ` Brad Bishop 0 siblings, 1 reply; 10+ messages in thread From: Andrew Geissler @ 2021-10-14 19:12 UTC (permalink / raw) To: Joseph Reynolds; +Cc: openbmc > Per today's Security working group meeting, we want to start using [GitHub security advisories][]. I think we need someone with admin permissions to github.com/openbmc/openbmc to create new advisories. Then we'll want a group (team? perhaps security-response-team) with the current OpenBMC [security response team][] members. (I have that list.) Looks like you’ll need admin authority on openbmc/openbmc in order to utilize the security advisories feature. I wonder if it’s better to create a openbmc/security repo and we can give you and the security team admin of that repo for this work? This would also provide a potential location to track github issues for the security team. > On Oct 13, 2021, at 3:56 PM, Joseph Reynolds <jrey@linux.ibm.com> wrote: > > > Per today's Security working group meeting, we want to start using [GitHub security advisories][]. I think we need someone with admin permissions to github.com/openbmc/openbmc to create new advisories. Then we'll want a group (team? perhaps security-response-team) with the current OpenBMC [security response team][] members. (I have that list.) > > How do we get started? Who has admin authority? > > Joseph > > > [GitHub security advisories]: https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories > [security response team]: https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-14 19:12 ` Andrew Geissler @ 2021-10-18 18:49 ` Brad Bishop 2021-10-18 19:06 ` Bruce Mitchell 0 siblings, 1 reply; 10+ messages in thread From: Brad Bishop @ 2021-10-18 18:49 UTC (permalink / raw) To: Andrew Geissler; +Cc: openbmc, Joseph Reynolds On Thu, Oct 14, 2021 at 02:12:20PM -0500, Andrew Geissler wrote: >> Per today's Security working group meeting, we want to start using >> [GitHub security advisories][]. I think we need someone with admin >> permissions to github.com/openbmc/openbmc to create new advisories. >> Then we'll want a group (team? perhaps security-response-team) with >> the current OpenBMC [security response team][] members. (I have that >> list.) > >Looks like you’ll need admin authority on openbmc/openbmc in order to >utilize the security advisories feature. I wonder if it’s better to >create a openbmc/security repo and we can give you and the security >team admin of that repo for this work? This would also provide a >potential location to track github issues for the security team. This was my thinking as well Andrew. I'll create openbmc/security-response if I don't see any complaints in the next little while. -brad ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-18 18:49 ` Brad Bishop @ 2021-10-18 19:06 ` Bruce Mitchell 2021-10-27 18:29 ` Mihm, James 0 siblings, 1 reply; 10+ messages in thread From: Bruce Mitchell @ 2021-10-18 19:06 UTC (permalink / raw) To: Brad Bishop, Andrew Geissler; +Cc: openbmc, Joseph Reynolds On 10/18/2021 11:49, Brad Bishop wrote: > On Thu, Oct 14, 2021 at 02:12:20PM -0500, Andrew Geissler wrote: >>> Per today's Security working group meeting, we want to start using >>> [GitHub security advisories][]. I think we need someone with admin >>> permissions to github.com/openbmc/openbmc to create new advisories. >>> Then we'll want a group (team? perhaps security-response-team) with >>> the current OpenBMC [security response team][] members. (I have that >>> list.) >> >> Looks like you’ll need admin authority on openbmc/openbmc in order to >> utilize the security advisories feature. I wonder if it’s better to >> create a openbmc/security repo and we can give you and the security >> team admin of that repo for this work? This would also provide a >> potential location to track github issues for the security team. > > This was my thinking as well Andrew. I'll create > openbmc/security-response if I don't see any complaints in the next > little while. > > -brad I believe we want to make sure that none of security advisories get sent to Discord, wouldn't want to accidentally be going to something like #gh-issues. ^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: Start using github security advisories 2021-10-18 19:06 ` Bruce Mitchell @ 2021-10-27 18:29 ` Mihm, James 2021-10-27 19:29 ` Brad Bishop 0 siblings, 1 reply; 10+ messages in thread From: Mihm, James @ 2021-10-27 18:29 UTC (permalink / raw) To: Bruce Mitchell, Brad Bishop, Andrew Geissler; +Cc: openbmc, Joseph Reynolds Brad or Andrew, Can we proceed with the creation of security repository so that we can run a couple of trials on security issues? I think it's important that we are able to meet the following criteria using a github repo with restricted access. a) individual security issues can be restricted using access control lists without granting global access to all security issues. b) individual security issues can be linked to private code reviews and discussions without leaking information beyond those with a need to know. Regards, James. >-----Original Message----- >From: openbmc <openbmc- >bounces+james.mihm=intel.com@lists.ozlabs.org> On Behalf Of Bruce >Mitchell >Sent: Monday, October 18, 2021 12:06 PM >To: Brad Bishop <bradleyb@fuzziesquirrel.com>; Andrew Geissler ><geissonator@gmail.com> >Cc: openbmc <openbmc@lists.ozlabs.org>; Joseph Reynolds ><jrey@linux.ibm.com> >Subject: Re: Start using github security advisories > >On 10/18/2021 11:49, Brad Bishop wrote: >> On Thu, Oct 14, 2021 at 02:12:20PM -0500, Andrew Geissler wrote: >>>> Per today's Security working group meeting, we want to start using >>>> [GitHub security advisories][]. I think we need someone with admin >>>> permissions to github.com/openbmc/openbmc to create new advisories. >>>> Then we'll want a group (team? perhaps security-response-team) with >>>> the current OpenBMC [security response team][] members. (I have that >>>> list.) >>> >>> Looks like you’ll need admin authority on openbmc/openbmc in order to >>> utilize the security advisories feature. I wonder if it’s better to >>> create a openbmc/security repo and we can give you and the security >>> team admin of that repo for this work? This would also provide a >>> potential location to track github issues for the security team. >> >> This was my thinking as well Andrew. I'll create >> openbmc/security-response if I don't see any complaints in the next >> little while. >> >> -brad > >I believe we want to make sure that none of security advisories >get sent to Discord, wouldn't want to accidentally be going to >something like #gh-issues. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-27 18:29 ` Mihm, James @ 2021-10-27 19:29 ` Brad Bishop 2021-10-27 19:42 ` Brad Bishop 0 siblings, 1 reply; 10+ messages in thread From: Brad Bishop @ 2021-10-27 19:29 UTC (permalink / raw) To: Mihm, James, Bruce Mitchell, Andrew Geissler; +Cc: openbmc, Joseph Reynolds On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote: > Brad or Andrew, Can we proceed with the creation of security > repository so that we can run a couple of trials on security issues? Hi James, thanks for the ping. The only reason I haven't already done this was this comment from Bruce: > > > > I believe we want to make sure that none of security advisories > > get sent to Discord, wouldn't want to accidentally be going to > > something like #gh-issues. This was a good point and I'm not sure what to do about it. -brad ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-27 19:29 ` Brad Bishop @ 2021-10-27 19:42 ` Brad Bishop 2021-10-28 13:31 ` Joseph Reynolds 0 siblings, 1 reply; 10+ messages in thread From: Brad Bishop @ 2021-10-27 19:42 UTC (permalink / raw) To: Mihm, James, Bruce Mitchell, Andrew Geissler; +Cc: openbmc, Joseph Reynolds On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote: > On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote: > > Brad or Andrew, Can we proceed with the creation of security > > repository so that we can run a couple of trials on security issues? > > Hi James, thanks for the ping. > > The only reason I haven't already done this was this comment from > Bruce: > > > > > > > I believe we want to make sure that none of security advisories > > > get sent to Discord, wouldn't want to accidentally be going to > > > something like #gh-issues. > > This was a good point and I'm not sure what to do about it. Hi James I created the security-reponse github group and the security-response repo just now and made it private. Please do some testing and make sure issues don't find their way into #gh-issues on Discord. thx - brad ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-27 19:42 ` Brad Bishop @ 2021-10-28 13:31 ` Joseph Reynolds 2021-10-28 13:43 ` Patrick Williams 0 siblings, 1 reply; 10+ messages in thread From: Joseph Reynolds @ 2021-10-28 13:31 UTC (permalink / raw) To: Brad Bishop, Mihm, James, Bruce Mitchell, Andrew Geissler; +Cc: openbmc On 10/27/21 2:42 PM, Brad Bishop wrote: > On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote: >> On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote: >>> Brad or Andrew, Can we proceed with the creation of security >>> repository so that we can run a couple of trials on security issues? >> Hi James, thanks for the ping. >> >> The only reason I haven't already done this was this comment from >> Bruce: >> >>>> I believe we want to make sure that none of security advisories >>>> get sent to Discord, wouldn't want to accidentally be going to >>>> something like #gh-issues. >> This was a good point and I'm not sure what to do about it. > Hi James > > I created the security-reponse github group and the security-response > repo just now and made it private. Please do some testing and make sure > issues don't find their way into #gh-issues on Discord. > > thx - brad Thanks Brad! The plan is to write the first issues from real-live but low-severity problems which are also common knowledge within the openBMC community. Meaning: there will be minimal harm if the problem is disclosed. - Joseph ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-28 13:31 ` Joseph Reynolds @ 2021-10-28 13:43 ` Patrick Williams 2021-10-28 14:22 ` Joseph Reynolds 0 siblings, 1 reply; 10+ messages in thread From: Patrick Williams @ 2021-10-28 13:43 UTC (permalink / raw) To: Joseph Reynolds; +Cc: Bruce Mitchell, Brad Bishop, openbmc [-- Attachment #1: Type: text/plain, Size: 2454 bytes --] On Thu, Oct 28, 2021 at 08:31:37AM -0500, Joseph Reynolds wrote: > On 10/27/21 2:42 PM, Brad Bishop wrote: > > On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote: > >> On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote: > >>> Brad or Andrew, Can we proceed with the creation of security > >>> repository so that we can run a couple of trials on security issues? > >> Hi James, thanks for the ping. > >> > >> The only reason I haven't already done this was this comment from > >> Bruce: > >> > >>>> I believe we want to make sure that none of security advisories > >>>> get sent to Discord, wouldn't want to accidentally be going to > >>>> something like #gh-issues. > >> This was a good point and I'm not sure what to do about it. > > Hi James > > > > I created the security-reponse github group and the security-response > > repo just now and made it private. Please do some testing and make sure > > issues don't find their way into #gh-issues on Discord. > > > > thx - brad > > Thanks Brad! > > The plan is to write the first issues from real-live but low-severity > problems which are also common knowledge within the openBMC community. > Meaning: there will be minimal harm if the problem is disclosed. > > - Joseph I want to reiterate three things: 1. In Github, security advisories are different from issues. Security advisories are suppose to be able to be collaborated on in private without the repository itself being private. Only when you are ready to reveal the security advisory can you switch it to be public. 2. We have two webhooks for Discord now: one for issues and one for code changes. Security advisories are not currently covered. If you make an issue in a public repository anyone can see it, even if it isn't covered by a Discord webhook, so "limiting the awareness by avoiding the Discord webhook" isn't really what you want anyhow. You need to make sure the information you want to be kept private is private (and again security advisories are suppose to be the way to do that). 3. Having a private repository means you cannot report any security advisories (or issues) in a public way. Today if someone goes to https://github.com/openbmc/security-response they get a 404 (unless they have explicit access to the private repository). -- Patrick Williams [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Start using github security advisories 2021-10-28 13:43 ` Patrick Williams @ 2021-10-28 14:22 ` Joseph Reynolds 0 siblings, 0 replies; 10+ messages in thread From: Joseph Reynolds @ 2021-10-28 14:22 UTC (permalink / raw) To: Patrick Williams; +Cc: Bruce Mitchell, Brad Bishop, openbmc On 10/28/21 8:43 AM, Patrick Williams wrote: > ...snip... > I want to reiterate three things: > > 1. In Github, security advisories are different from issues. Security > advisories are suppose to be able to be collaborated on in private > without the repository itself being private. Only when you are ready to > reveal the security advisory can you switch it to be public. That matches my understanding. The entire openbmc/security-response repo will be private to the OpenBMC security response team. In this repo we will: A. Track reported vulnerabilities under openbmc/security-response/issues. B. Work on draft security advisories. We don't have the exact workflow worked out. I was thinking we could publish the security advisories under openbmc/openbmc/security. Security advisory notes: - The term "security advisory" as used here means the public announcement of a security vulnerability together with a mitigation (such as a fix or a workaround). The OpenBMC security response team works on the security advisory in private, and then publishes these advisories when ready. See the [guidelines][]. - IBM X-Force collects "security advisories" from all sources and publishes "security advisories" which it calls "security bulletins". The main distinction is advisories are input to the process, and bulletins are output. [guidelines]: https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md > 2. We have two webhooks for Discord now: one for issues and one for code > changes. Security advisories are not currently covered. If you make an > issue in a public repository anyone can see it, even if it isn't covered > by a Discord webhook, so "limiting the awareness by avoiding the Discord > webhook" isn't really what you want anyhow. You need to make sure the > information you want to be kept private is private (and again security > advisories are suppose to be the way to do that). We plan to test the confidentiality of the openbmc/security-response repo with respect to discord. > 3. Having a private repository means you cannot report any security > advisories (or issues) in a public way. Today if someone goes to > https://github.com/openbmc/security-response they get a 404 (unless they > have explicit access to the private repository). I was thinking we could publish the security advisories under openbmc/openbmc/security. We are still trying to figure out the workflow. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-10-28 14:30 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-10-13 20:56 Start using github security advisories Joseph Reynolds 2021-10-14 19:12 ` Andrew Geissler 2021-10-18 18:49 ` Brad Bishop 2021-10-18 19:06 ` Bruce Mitchell 2021-10-27 18:29 ` Mihm, James 2021-10-27 19:29 ` Brad Bishop 2021-10-27 19:42 ` Brad Bishop 2021-10-28 13:31 ` Joseph Reynolds 2021-10-28 13:43 ` Patrick Williams 2021-10-28 14:22 ` Joseph Reynolds
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).