From: Taylor Blau <me@ttaylorr.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Julia Ramer via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, git-security@googlegroups.com,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Julia Ramer <prplr@github.com>,
Keanen Wold <keanenwold@github.com>,
Veronica Giaudrone <veronica.Giaudrone@microsoft.com>,
Bri Brothers <brbrot@microsoft.com>,
Julia Ramer <gitprplr@gmail.com>
Subject: Re: [PATCH v2] embargoed releases: also describe the git-security list and the process
Date: Wed, 19 Oct 2022 17:22:30 -0400 [thread overview]
Message-ID: <Y1Bqlmo7kP/4A79B@nand.local> (raw)
In-Reply-To: <xmqqa65rr6g1.fsf@gitster.g>
On Wed, Oct 19, 2022 at 11:53:18AM -0700, Junio C Hamano wrote:
> "Julia Ramer via GitGitGadget" <gitgitgadget@gmail.com> writes:
>
> > From: Julia Ramer <gitprplr@gmail.com>
> >
> > With the recent turnover on the git-security list, questions came up how
> > things are usually run. Rather than answering questions individually,
> > extend Git's existing documentation about security vulnerabilities to
> > describe the git-security mailing list, how things are run on that list,
> > and what to expect throughout the process from the time a security bug
> > is reported all the way to the time when a fix is released.
> >
> > Signed-off-by: Julia Ramer <gitprplr@gmail.com>
> > ---
>
> Thanks for an update that is excellently written.
Yes, indeed.
> - Would a reader, who has "stake" in the healty and secure Git, be
> helped if we spell out that they are welcome to ask joining the
> security list and how? It feels a bit too obvious after reading
> "anybody may contact", which is both the right way to self
> nominate for the membership and the natural thing I expect such a
> reader would do, so we may not need to.
My personal feeling is in agreement with yours, which is that it is
probably obvious, so I don't think it's worth spelling out explicitly
here.
> + The packager whose release artifacts can be exchanged among
> security list participants under embargo is not limited to Git
> for Windows, even though we've only seen exchanges between
> Victoria and Veronica this cycle for that particular
> distribution.
>
> - The world is not limited to only Windows, mac and Linux. Windows
> is not all that special.
I agree, I think that mentioning Git for Windows in this document is not
strictly necessary (e.g., if there were a new "Git for Foo" that came
out tomorrow, I would not consider this document out-of-date), but I
likewise wouldn't object to it.
> - I wonder if we want to record the name that is used to refer to
> the "private repository controlled by the project" on the
> security mailing list somewhere in the documentation. If you are
> a stakeholder, being on the mailing list *and* having access to
> that repository are two things we need to make sure you have to
> partcipate in the coordinated embargoed releases.
This repository (git/cabal) is already well-documented on the mailing
list, so I would have no problem including its name here, too.
> Here is a patch that summarises some of the above on top of your
> patch. I only tried to address the bullet items with "+" in front
> in the above list.
All looks good to me, thanks.
Thanks,
Taylor
next prev parent reply other threads:[~2022-10-19 21:22 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 22:39 [PATCH] embargoed releases: also describe the git-security list and the process Julia Ramer via GitGitGadget
2022-09-02 17:24 ` Junio C Hamano
2022-09-27 22:56 ` Julia Ramer
2022-09-28 17:12 ` Junio C Hamano
2022-10-18 20:43 ` Julia Ramer
2022-10-19 15:47 ` Junio C Hamano
2022-09-02 18:59 ` Junio C Hamano
2022-09-03 9:29 ` Johannes Schindelin
2022-09-05 20:28 ` Junio C Hamano
2022-10-19 1:16 ` [PATCH v2] " Julia Ramer via GitGitGadget
2022-10-19 18:53 ` Junio C Hamano
2022-10-19 21:22 ` Taylor Blau [this message]
2022-10-19 22:01 ` Junio C Hamano
2022-10-19 21:15 ` Taylor Blau
2022-10-19 21:50 ` Junio C Hamano
2022-10-20 17:06 ` Taylor Blau
2022-10-21 7:41 ` [PATCH v3] " Julia Ramer via GitGitGadget
2022-10-21 16:42 ` Junio C Hamano
2022-10-24 20:18 ` Julia Ramer
2022-10-24 22:56 ` Junio C Hamano
2022-10-22 0:11 ` Taylor Blau
2022-10-24 20:19 ` Julia Ramer
2022-10-24 22:07 ` [PATCH v4] " Julia Ramer via GitGitGadget
2022-10-24 23:08 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1Bqlmo7kP/4A79B@nand.local \
--to=me@ttaylorr.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=brbrot@microsoft.com \
--cc=git-security@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitprplr@gmail.com \
--cc=gitster@pobox.com \
--cc=keanenwold@github.com \
--cc=prplr@github.com \
--cc=veronica.Giaudrone@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).