Re: [dpdk-dev] [PATCH v2] doc: add oss-security to the security process

DPDK patches and discussions
 help / color / mirror / Atom feed

From: David Marchand <david.marchand@redhat.com>
To: luca.boccassi@gmail.com
Cc: dev <dev@dpdk.org>, Maxime Coquelin <maxime.coquelin@redhat.com>
Subject: Re: [dpdk-dev] [PATCH v2] doc: add oss-security to the security process
Date: Fri, 15 Nov 2019 09:54:52 +0100	[thread overview]
Message-ID: <CAJFAV8wfTd7Eox+Ltk+LLP5SHj3Ma=kmEHXvYoB6XainwOKyDg@mail.gmail.com> (raw)
In-Reply-To: <0732104f-7865-e29e-7336-0e66a30a1334@redhat.com>

On Fri, Sep 27, 2019 at 9:21 AM Maxime Coquelin
<maxime.coquelin@redhat.com> wrote:
> On 9/21/19 4:52 PM, luca.boccassi@gmail.com wrote:
> > From: Luca Boccassi <luca.boccassi@microsoft.com>
> >
> > The OSS-security project functions as a single point of contact for
> > pre-release, embargoed security notifications. Distributions and major
> > vendors are subscribed to this private list, so that they can be warned
> > in advance and schedule the work required to fix the vulnerability.
> >
> > List and link this process in the DPDK security process document.
> >
> > Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
> > ---
> > v1: As discussed at Userspace, we should include oss-security in the advanced
> >     private notice. This change has a brief explanation and a link to the
> >     process.
> > v2: --signoff missing in v1, lost somewhere between brain and keyboard
> >
> >  doc/guides/contributing/vulnerability.rst | 13 +++++++++++--
> >  1 file changed, 11 insertions(+), 2 deletions(-)
>
> Thanks Luca, it's much appreciated.
> Other than the typo reported below, it looks good to me:
>
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
>
> Maxime
>
>
> >
> > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> > index a4bef48576..78f65fe81b 100644
> > --- a/doc/guides/contributing/vulnerability.rst
> > +++ b/doc/guides/contributing/vulnerability.rst
> > @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list
> >  * Major DPDK users, considered trustworthy by the technical board, who
> >    have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_
> >
> > +The `OSS security private mailing list mailto:distros@vs.openwall.org>` will
> > +also be contacted one week before the end of the embargo, as indicated by `the
> > +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
> > +and using the PGP key listed on the same page, describind the details of the
>
> s/describind/describing/

Fixed while applying.

>
> > +vulnerability and sharing the patch[es]. Distributions and major vendors follow
> > +this private mailing list, and it functions as a single point of contact for
> > +embargoed advance notices for open source projects.
> > +
> >  The security advisory will be based on below template,
> >  and will be sent signed with a security team's member GPG key.
> >
> > @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators
> >  do not have to deal with security updates over the weekend.
> >
> >  The security advisory is posted
> > -to `announce@dpdk.org <mailto:announce@dpdk.org>`_
> > -as soon as the patches are pushed to the appropriate branches.
> > +to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security
> > +mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches
> > +are pushed to the appropriate branches.
> >
> >  Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_
> >  and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.
> >

Applied, thanks.


-- 
David Marchand

     prev parent reply	other threads:[~2019-11-15  8:55 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-21 14:47 [dpdk-dev] [PATCH] " luca.boccassi
2019-09-21 14:52 ` [dpdk-dev] [PATCH v2] " luca.boccassi
2019-09-27  7:21   ` Maxime Coquelin
2019-11-15  8:54     ` David Marchand [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJFAV8wfTd7Eox+Ltk+LLP5SHj3Ma=kmEHXvYoB6XainwOKyDg@mail.gmail.com' \
    --to=david.marchand@redhat.com \
    --cc=dev@dpdk.org \
    --cc=luca.boccassi@gmail.com \
    --cc=maxime.coquelin@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).