From: David Marchand <david.marchand@redhat.com>
To: luca.boccassi@gmail.com
Cc: dev <dev@dpdk.org>, Maxime Coquelin <maxime.coquelin@redhat.com>
Subject: Re: [dpdk-dev] [PATCH v2] doc: add oss-security to the security process
Date: Fri, 15 Nov 2019 09:54:52 +0100 [thread overview]
Message-ID: <CAJFAV8wfTd7Eox+Ltk+LLP5SHj3Ma=kmEHXvYoB6XainwOKyDg@mail.gmail.com> (raw)
In-Reply-To: <0732104f-7865-e29e-7336-0e66a30a1334@redhat.com>
On Fri, Sep 27, 2019 at 9:21 AM Maxime Coquelin
<maxime.coquelin@redhat.com> wrote:
> On 9/21/19 4:52 PM, luca.boccassi@gmail.com wrote:
> > From: Luca Boccassi <luca.boccassi@microsoft.com>
> >
> > The OSS-security project functions as a single point of contact for
> > pre-release, embargoed security notifications. Distributions and major
> > vendors are subscribed to this private list, so that they can be warned
> > in advance and schedule the work required to fix the vulnerability.
> >
> > List and link this process in the DPDK security process document.
> >
> > Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
> > ---
> > v1: As discussed at Userspace, we should include oss-security in the advanced
> > private notice. This change has a brief explanation and a link to the
> > process.
> > v2: --signoff missing in v1, lost somewhere between brain and keyboard
> >
> > doc/guides/contributing/vulnerability.rst | 13 +++++++++++--
> > 1 file changed, 11 insertions(+), 2 deletions(-)
>
> Thanks Luca, it's much appreciated.
> Other than the typo reported below, it looks good to me:
>
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
>
> Maxime
>
>
> >
> > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> > index a4bef48576..78f65fe81b 100644
> > --- a/doc/guides/contributing/vulnerability.rst
> > +++ b/doc/guides/contributing/vulnerability.rst
> > @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list
> > * Major DPDK users, considered trustworthy by the technical board, who
> > have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_
> >
> > +The `OSS security private mailing list mailto:distros@vs.openwall.org>` will
> > +also be contacted one week before the end of the embargo, as indicated by `the
> > +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
> > +and using the PGP key listed on the same page, describind the details of the
>
> s/describind/describing/
Fixed while applying.
>
> > +vulnerability and sharing the patch[es]. Distributions and major vendors follow
> > +this private mailing list, and it functions as a single point of contact for
> > +embargoed advance notices for open source projects.
> > +
> > The security advisory will be based on below template,
> > and will be sent signed with a security team's member GPG key.
> >
> > @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators
> > do not have to deal with security updates over the weekend.
> >
> > The security advisory is posted
> > -to `announce@dpdk.org <mailto:announce@dpdk.org>`_
> > -as soon as the patches are pushed to the appropriate branches.
> > +to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security
> > +mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches
> > +are pushed to the appropriate branches.
> >
> > Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_
> > and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.
> >
Applied, thanks.
--
David Marchand
prev parent reply other threads:[~2019-11-15 8:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-21 14:47 [dpdk-dev] [PATCH] " luca.boccassi
2019-09-21 14:52 ` [dpdk-dev] [PATCH v2] " luca.boccassi
2019-09-27 7:21 ` Maxime Coquelin
2019-11-15 8:54 ` David Marchand [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJFAV8wfTd7Eox+Ltk+LLP5SHj3Ma=kmEHXvYoB6XainwOKyDg@mail.gmail.com' \
--to=david.marchand@redhat.com \
--cc=dev@dpdk.org \
--cc=luca.boccassi@gmail.com \
--cc=maxime.coquelin@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).