From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7A71BA04C2; Fri, 15 Nov 2019 09:55:33 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 7C24A2F4F; Fri, 15 Nov 2019 09:55:32 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 46A662F42 for ; Fri, 15 Nov 2019 09:55:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573808130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PowJCcFEj135yr8deuCTomn1/r4oxu7teGY5e/j4doo=; b=dQ0+dCINJ+XrHmweVqDsFggbrL1R0U7C2DEl7sVOy8wPbQDVLRyI9qorLK5BneKZ2Miceh DMlPl9Kafho5Whn4wVgJNoFBtKM5TqrAZ2YlFEGfL81RTWsYXvX4FYYiGv/6ElWS1+Xiek SZ8pgme/Zybv9UxJbV5HkZn6QqSo1Hg= Received: from mail-vs1-f70.google.com (mail-vs1-f70.google.com [209.85.217.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-26-Yzw6Axv5M5a0F2BetXCgEQ-1; Fri, 15 Nov 2019 03:55:04 -0500 Received: by mail-vs1-f70.google.com with SMTP id z1so1317043vsq.17 for ; Fri, 15 Nov 2019 00:55:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8/J6AvEGcEPrRznhq1OgtEX5h0I7mFKyY8sVxitFHzg=; b=DqkqIN5cHwPMyu8IWoe9UFY6WyQcpRbEk5cg4DDPonVKQaP3cXGPCTCGbq4spRW8zp DdeLmxhJymFLY5Xl+2mwLBgh0t5zVLQXKwwOZQASRubnxrt6QgtmRK3+A6sh04zgoiob 2cclwZN33uCqoWIEHYpHy2iOXa2yP9B5mOcuzPD7CBePRxcCZc6r3zDg6Dnd7HW43W7E GidwFdWcsBbsv54+cDZyPt9OtZHwzSl91bdyRmZU9g84lRzxLcBoIvEpg56iDmOBzuBJ MQcRaM1Sn6GKqotWS5+Q9d1HvCb4phAw1Pm+8Na5LuHNHaWoVnpgFWWOxrX0N7fUJl9/ mWgw== X-Gm-Message-State: APjAAAVeLf8Lbx/5JwnkREsodtobdKf+pu0TmGGBnGeHlqAn39PirF6h PaTxp43Vn0yZLGiuscjD6zeotMwki3iCbKs3nLI9PWoyVLOf0h77KnyT+hycyGTU1aIW0nQ5/iK OGUQOwJbFVSThm7lyp0Y= X-Received: by 2002:a67:bd05:: with SMTP id y5mr8659295vsq.180.1573808103677; Fri, 15 Nov 2019 00:55:03 -0800 (PST) X-Google-Smtp-Source: APXvYqyJGwtmroeHkzLnixxsUqN6lW1Wm0ZxNFjkRgZSi/JJLAoBePcXHEuanK8OPMJ1X1DoFym7YMJjJ1NRY3q6j/I= X-Received: by 2002:a67:bd05:: with SMTP id y5mr8659287vsq.180.1573808103286; Fri, 15 Nov 2019 00:55:03 -0800 (PST) MIME-Version: 1.0 References: <20190921144738.6962-1-luca.boccassi@gmail.com> <20190921145242.7420-1-luca.boccassi@gmail.com> <0732104f-7865-e29e-7336-0e66a30a1334@redhat.com> In-Reply-To: <0732104f-7865-e29e-7336-0e66a30a1334@redhat.com> From: David Marchand Date: Fri, 15 Nov 2019 09:54:52 +0100 Message-ID: To: luca.boccassi@gmail.com Cc: dev , Maxime Coquelin X-MC-Unique: Yzw6Axv5M5a0F2BetXCgEQ-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [dpdk-dev] [PATCH v2] doc: add oss-security to the security process X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Fri, Sep 27, 2019 at 9:21 AM Maxime Coquelin wrote: > On 9/21/19 4:52 PM, luca.boccassi@gmail.com wrote: > > From: Luca Boccassi > > > > The OSS-security project functions as a single point of contact for > > pre-release, embargoed security notifications. Distributions and major > > vendors are subscribed to this private list, so that they can be warned > > in advance and schedule the work required to fix the vulnerability. > > > > List and link this process in the DPDK security process document. > > > > Signed-off-by: Luca Boccassi > > --- > > v1: As discussed at Userspace, we should include oss-security in the ad= vanced > > private notice. This change has a brief explanation and a link to t= he > > process. > > v2: --signoff missing in v1, lost somewhere between brain and keyboard > > > > doc/guides/contributing/vulnerability.rst | 13 +++++++++++-- > > 1 file changed, 11 insertions(+), 2 deletions(-) > > Thanks Luca, it's much appreciated. > Other than the typo reported below, it looks good to me: > > Reviewed-by: Maxime Coquelin > > Maxime > > > > > > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/con= tributing/vulnerability.rst > > index a4bef48576..78f65fe81b 100644 > > --- a/doc/guides/contributing/vulnerability.rst > > +++ b/doc/guides/contributing/vulnerability.rst > > @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease l= ist > > * Major DPDK users, considered trustworthy by the technical board, who > > have made the request to `techboard@dpdk.org `_ > > > > +The `OSS security private mailing list mailto:distros@vs.openwall.org>= ` will > > +also be contacted one week before the end of the embargo, as indicated= by `the > > +OSS-security process ` > > +and using the PGP key listed on the same page, describind the details = of the > > s/describind/describing/ Fixed while applying. > > > +vulnerability and sharing the patch[es]. Distributions and major vendo= rs follow > > +this private mailing list, and it functions as a single point of conta= ct for > > +embargoed advance notices for open source projects. > > + > > The security advisory will be based on below template, > > and will be sent signed with a security team's member GPG key. > > > > @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so t= hat system administrators > > do not have to deal with security updates over the weekend. > > > > The security advisory is posted > > -to `announce@dpdk.org `_ > > -as soon as the patches are pushed to the appropriate branches. > > +to `announce@dpdk.org `_ and to `the public = OSS-security > > +mailing list ` as soon as the = patches > > +are pushed to the appropriate branches. > > > > Patches are then sent to `dev@dpdk.org `_ > > and `stable@dpdk.org `_ accordingly. > > Applied, thanks. --=20 David Marchand