Re: [dpdk-dev] [PATCH v2] doc: add oss-security to the security process

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: luca.boccassi@gmail.com, dev@dpdk.org
Subject: Re: [dpdk-dev] [PATCH v2] doc: add oss-security to the security process
Date: Fri, 27 Sep 2019 09:21:24 +0200	[thread overview]
Message-ID: <0732104f-7865-e29e-7336-0e66a30a1334@redhat.com> (raw)
In-Reply-To: <20190921145242.7420-1-luca.boccassi@gmail.com>



On 9/21/19 4:52 PM, luca.boccassi@gmail.com wrote:
> From: Luca Boccassi <luca.boccassi@microsoft.com>
> 
> The OSS-security project functions as a single point of contact for
> pre-release, embargoed security notifications. Distributions and major
> vendors are subscribed to this private list, so that they can be warned
> in advance and schedule the work required to fix the vulnerability.
> 
> List and link this process in the DPDK security process document.
> 
> Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
> ---
> v1: As discussed at Userspace, we should include oss-security in the advanced
>     private notice. This change has a brief explanation and a link to the
>     process.
> v2: --signoff missing in v1, lost somewhere between brain and keyboard
> 
>  doc/guides/contributing/vulnerability.rst | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)

Thanks Luca, it's much appreciated.
Other than the typo reported below, it looks good to me:

Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Maxime


> 
> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> index a4bef48576..78f65fe81b 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list
>  * Major DPDK users, considered trustworthy by the technical board, who
>    have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_
>  
> +The `OSS security private mailing list mailto:distros@vs.openwall.org>` will
> +also be contacted one week before the end of the embargo, as indicated by `the
> +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
> +and using the PGP key listed on the same page, describind the details of the

s/describind/describing/

> +vulnerability and sharing the patch[es]. Distributions and major vendors follow
> +this private mailing list, and it functions as a single point of contact for
> +embargoed advance notices for open source projects.
> +
>  The security advisory will be based on below template,
>  and will be sent signed with a security team's member GPG key.
>  
> @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators
>  do not have to deal with security updates over the weekend.
>  
>  The security advisory is posted
> -to `announce@dpdk.org <mailto:announce@dpdk.org>`_
> -as soon as the patches are pushed to the appropriate branches.
> +to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security
> +mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches
> +are pushed to the appropriate branches.
>  
>  Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_
>  and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.
>

next prev parent reply	other threads:[~2019-09-27  7:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-21 14:47 [dpdk-dev] [PATCH] " luca.boccassi
2019-09-21 14:52 ` [dpdk-dev] [PATCH v2] " luca.boccassi
2019-09-27  7:21   ` Maxime Coquelin [this message]
2019-11-15  8:54     ` David Marchand

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0732104f-7865-e29e-7336-0e66a30a1334@redhat.com \
    --to=maxime.coquelin@redhat.com \
    --cc=dev@dpdk.org \
    --cc=luca.boccassi@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).