[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: security-advisories: Expound.
From: |
Ludovic Courtčs |
Subject: |
branch master updated: security-advisories: Expound. |
Date: |
Fri, 02 Apr 2021 17:19:19 -0400 |
This is an automated email from the git hooks/post-receive script.
civodul pushed a commit to branch master
in repository maintenance.
The following commit(s) were added to refs/heads/master by this push:
new 258220b security-advisories: Expound.
258220b is described below
commit 258220b06e039f946756fac6b9c9320c5fe4ac1e
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Fri Apr 2 23:18:38 2021 +0200
security-advisories: Expound.
* doc/security-advisories.org: Expound.
---
doc/security-advisories.org | 46 ++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 41 insertions(+), 5 deletions(-)
diff --git a/doc/security-advisories.org b/doc/security-advisories.org
index ef560c8..89fc7ea 100644
--- a/doc/security-advisories.org
+++ b/doc/security-advisories.org
@@ -20,17 +20,53 @@ issues in Guix.
That gives a bug number that can be used to track progress.
-* Commit bug fix followed by a =etc/news.scm= entry
+ The bug report should mention, in this order:
- Report the commit ID in the bug tracker.
+ 1. who’s affected and who’s not (especially Guix System vs. foreign
+ distros);
+ 2. what users need to do to be safe;
+ 3. what the problem was and how it could be exploited.
+
+ The bug report may contain the patch (bug fix) as an attachment.
+
+* Commit the bug fix
+
+ The commit log of the bug fix should contain the line:
+
+ #+begin_example
+ Fixes <https://bugs.gnu.org/NNN>.
+ #+end_example
+
+ where NNN is the bug number obtained above.
+
+* Commit a =etc/news.scm= entry as a followup
+
+ The news entry should be a simplified version of the bug report, with
+ the understanding that it will be read by users who just upgraded or
+ who are about to upgrade (in cases where the upgrade requires
+ additional step, such as running =guix system reconfigure=).
+
+* Report the commit ID in the bug tracker
+
+ Once these two commits have been pushed, reply to NNN@debbugs.gnu.org
+ giving the commit ID that contains the fix.
* Announce the issue
-** blog post with the “Security Advisory” tag
+** Wrote a blog post with the “Security Advisory” tag
+
+ The blog post should roughly the same as the bug report above. It
+ should contain the bug report URL. Blog posts are available at
+ https://git.savannah.gnu.org/cgit/guix/guix-artwork.git/tree/website/posts.
+
+** Send email to info-guix@gnu.org
+
+ The message be again roughly the same as the blog post, as plain
+ text, GPG-signed.
-** message to info-guix@gnu.org
+** Send email to the oss-security list (optionally)
-** oss-security list (?)
+ If deemed useful, email the
[[https://www.openwall.com/lists/oss-security/][oss-security list]].
* Assign a CVE number via https://cveform.mitre.org/ (?)
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: security-advisories: Expound.,
Ludovic Courtčs <=