Re: [dpdk-dev] [PATCH v2] doc: add oss-security to the security process

[Maxime Coquelin <maxime.coquelin@redhat.com>]

On 9/21/19 4:52 PM, luca.boccassi@gmail.com wrote:
> From: Luca Boccassi <luca.boccassi@microsoft.com>
> 
> The OSS-security project functions as a single point of contact for
> pre-release, embargoed security notifications. Distributions and major
> vendors are subscribed to this private list, so that they can be warned
> in advance and schedule the work required to fix the vulnerability.
> 
> List and link this process in the DPDK security process document.
> 
> Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
> ---
> v1: As discussed at Userspace, we should include oss-security in the advanced
>     private notice. This change has a brief explanation and a link to the
>     process.
> v2: --signoff missing in v1, lost somewhere between brain and keyboard
> 
>  doc/guides/contributing/vulnerability.rst | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)

Thanks Luca, it's much appreciated.
Other than the typo reported below, it looks good to me:

Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Maxime


> 
> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> index a4bef48576..78f65fe81b 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list
>  * Major DPDK users, considered trustworthy by the technical board, who
>    have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_
>  
> +The `OSS security private mailing list mailto:distros@vs.openwall.org>` will
> +also be contacted one week before the end of the embargo, as indicated by `the
> +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
> +and using the PGP key listed on the same page, describind the details of the

s/describind/describing/

> +vulnerability and sharing the patch[es]. Distributions and major vendors follow
> +this private mailing list, and it functions as a single point of contact for
> +embargoed advance notices for open source projects.
> +
>  The security advisory will be based on below template,
>  and will be sent signed with a security team's member GPG key.
>  
> @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators
>  do not have to deal with security updates over the weekend.
>  
>  The security advisory is posted
> -to `announce@dpdk.org <mailto:announce@dpdk.org>`_
> -as soon as the patches are pushed to the appropriate branches.
> +to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security
> +mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches
> +are pushed to the appropriate branches.
>  
>  Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_
>  and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.
>