From: Taylor Blau <me@ttaylorr.com>
To: Julia Ramer via GitGitGadget <gitgitgadget@gmail.com>
Cc: git@vger.kernel.org,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Julia Ramer <prplr@github.com>,
Keanen Wold <keanenwold@github.com>,
Veronica Giaudrone <veronica.Giaudrone@microsoft.com>,
Bri Brothers <brbrot@microsoft.com>,
Julia Ramer <gitprplr@gmail.com>
Subject: Re: [PATCH v2] embargoed releases: also describe the git-security list and the process
Date: Thu, 20 Oct 2022 13:06:51 -0400 [thread overview]
Message-ID: <Y1GAK+y8a2lc9Kq6@nand.local> (raw)
In-Reply-To: <Y1Bo18aU7YKKX9yh@nand.local>
On Wed, Oct 19, 2022 at 05:15:03PM -0400, Taylor Blau wrote:
> > +- Depending on the preferences of the involved contributors and reviewers, code
> > + review then happens either on the `git-security` mailing list or in a private
> > + fork associated with the draft security advisory.
>
> There's a third option, too, which is using the private git/cabal
> repository. Anybody who is a member of the @git/security team on GitHub
> has access to this repository. And it is often a convenient option for
> coordinating releases that contain fixes for more than one
> vulnerability.
>
> There aren't any hard and fast rules for which approach should be used
> in a given circumstance, but I think it's worth mentioning it as another
> option.
>
> For my own $.02, I often find it useful to *start* by sending patches to
> the git-security list inline with the thread so that the original
> reporter (who is more often than not *not* a member of the @git/security
> team) can participate in review (or at least look at the patches).
>
> The private forks tied to a security advisory are often convenient
> (assuming that the reporter has a GitHub account) since they provide a
> shared workspace. But I think we usually avoid them when working on
> preparing a release for more than one vulnerability.
Here is some proposed language that I think would encompass everything
both you and I wrote here:
Code review can take place in a variety of different locations,
depending on context. These are: patches sent inline on the
git-security list, a private fork on GitHub associated with the
draft security advisory, or the git/cabal repository.
Contributors working on a fix should consider beginning by sending
patches on the list (inline with the original thread), since they
are accessible to all subscribers, along with the original reporter.
A typical review cycle often takes place here.
Then, depending on if there are one or multiple security advisories,
contributors should move their patches to either the private fork
associated with the security advisory on GitHub, or the git/cabal
repository. It is in either one of these locations that release
branches (based on `maint`) are prepared.
When there is a single security vulnerability, using the fork
associated with the security advisory is convenient as it
centralizes discussion, review, and release mechanics at a single
location. When there are multiple such vulnerabilities, no single
temporary fork is appropriate, so it is instead encouraged to use
the private git/cabal repository (visibility of which is granted to
members of the @git/security team on GitHub).
Thanks,
Taylor
next prev parent reply other threads:[~2022-10-20 17:06 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 22:39 [PATCH] embargoed releases: also describe the git-security list and the process Julia Ramer via GitGitGadget
2022-09-02 17:24 ` Junio C Hamano
2022-09-27 22:56 ` Julia Ramer
2022-09-28 17:12 ` Junio C Hamano
2022-10-18 20:43 ` Julia Ramer
2022-10-19 15:47 ` Junio C Hamano
2022-09-02 18:59 ` Junio C Hamano
2022-09-03 9:29 ` Johannes Schindelin
2022-09-05 20:28 ` Junio C Hamano
2022-10-19 1:16 ` [PATCH v2] " Julia Ramer via GitGitGadget
2022-10-19 18:53 ` Junio C Hamano
2022-10-19 21:22 ` Taylor Blau
2022-10-19 22:01 ` Junio C Hamano
2022-10-19 21:15 ` Taylor Blau
2022-10-19 21:50 ` Junio C Hamano
2022-10-20 17:06 ` Taylor Blau [this message]
2022-10-21 7:41 ` [PATCH v3] " Julia Ramer via GitGitGadget
2022-10-21 16:42 ` Junio C Hamano
2022-10-24 20:18 ` Julia Ramer
2022-10-24 22:56 ` Junio C Hamano
2022-10-22 0:11 ` Taylor Blau
2022-10-24 20:19 ` Julia Ramer
2022-10-24 22:07 ` [PATCH v4] " Julia Ramer via GitGitGadget
2022-10-24 23:08 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1GAK+y8a2lc9Kq6@nand.local \
--to=me@ttaylorr.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=brbrot@microsoft.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitprplr@gmail.com \
--cc=keanenwold@github.com \
--cc=prplr@github.com \
--cc=veronica.Giaudrone@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).