Re: Start using github security advisories

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Williams <patrick@stwcx.xyz>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: Bruce Mitchell <bruce.mitchell@linux.vnet.ibm.com>,
	Brad Bishop <bradleyb@fuzziesquirrel.com>,
	openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Start using github security advisories
Date: Thu, 28 Oct 2021 08:43:08 -0500	[thread overview]
Message-ID: <YXqo7KhqQ5y/ZM5p@heinlein> (raw)
In-Reply-To: <b738b432-8416-d26d-2a89-d61e4187db67@linux.ibm.com>

[-- Attachment #1: Type: text/plain, Size: 2454 bytes --]

On Thu, Oct 28, 2021 at 08:31:37AM -0500, Joseph Reynolds wrote:
> On 10/27/21 2:42 PM, Brad Bishop wrote:
> > On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote:
> >> On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote:
> >>> Brad or Andrew, Can we proceed with the creation of security
> >>> repository so that we can run a couple of trials on security issues?
> >> Hi James, thanks for the ping.
> >>
> >> The only reason I haven't already done this was this comment from
> >> Bruce:
> >>
> >>>> I believe we want to make sure that none of security advisories
> >>>> get sent to Discord, wouldn't want to accidentally be going to
> >>>> something like #gh-issues.
> >> This was a good point and I'm not sure what to do about it.
> > Hi James
> >
> > I created the security-reponse github group and the security-response
> > repo just now and made it private.  Please do some testing and make sure
> > issues don't find their way into #gh-issues on Discord.
> >
> > thx - brad
> 
> Thanks Brad!
> 
> The plan is to write the first issues from real-live but low-severity  
> problems which are also common knowledge within the openBMC community.  
> Meaning: there will be minimal harm if the problem is disclosed.
> 
> - Joseph

I want to reiterate three things:

    1. In Github, security advisories are different from issues.  Security
       advisories are suppose to be able to be collaborated on in private
       without the repository itself being private.  Only when you are ready to
       reveal the security advisory can you switch it to be public.

    2. We have two webhooks for Discord now: one for issues and one for code
       changes.  Security advisories are not currently covered.  If you make an
       issue in a public repository anyone can see it, even if it isn't covered
       by a Discord webhook, so "limiting the awareness by avoiding the Discord
       webhook" isn't really what you want anyhow.  You need to make sure the
       information you want to be kept private is private (and again security
       advisories are suppose to be the way to do that).

    3. Having a private repository means you cannot report any security
       advisories (or issues) in a public way.  Today if someone goes to
       https://github.com/openbmc/security-response they get a 404 (unless they
       have explicit access to the private repository).

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2021-10-28 13:44 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-13 20:56 Start using github security advisories Joseph Reynolds
2021-10-14 19:12 ` Andrew Geissler
2021-10-18 18:49   ` Brad Bishop
2021-10-18 19:06     ` Bruce Mitchell
2021-10-27 18:29       ` Mihm, James
2021-10-27 19:29         ` Brad Bishop
2021-10-27 19:42           ` Brad Bishop
2021-10-28 13:31             ` Joseph Reynolds
2021-10-28 13:43               ` Patrick Williams [this message]
2021-10-28 14:22                 ` Joseph Reynolds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YXqo7KhqQ5y/ZM5p@heinlein \
    --to=patrick@stwcx.xyz \
    --cc=bradleyb@fuzziesquirrel.com \
    --cc=bruce.mitchell@linux.vnet.ibm.com \
    --cc=jrey@linux.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.