Message ID | 20190921145242.7420-1-luca.boccassi@gmail.com |
---|---|
State | Accepted, archived |
Delegated to: | David Marchand |
Headers | show |
Series |
|
Related | show |
Context | Check | Description |
---|---|---|
ci/checkpatch | success | coding style OK |
ci/Intel-compilation | success | Compilation OK |
On 9/21/19 4:52 PM, luca.boccassi@gmail.com wrote: > From: Luca Boccassi <luca.boccassi@microsoft.com> > > The OSS-security project functions as a single point of contact for > pre-release, embargoed security notifications. Distributions and major > vendors are subscribed to this private list, so that they can be warned > in advance and schedule the work required to fix the vulnerability. > > List and link this process in the DPDK security process document. > > Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com> > --- > v1: As discussed at Userspace, we should include oss-security in the advanced > private notice. This change has a brief explanation and a link to the > process. > v2: --signoff missing in v1, lost somewhere between brain and keyboard > > doc/guides/contributing/vulnerability.rst | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) Thanks Luca, it's much appreciated. Other than the typo reported below, it looks good to me: Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com> Maxime > > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst > index a4bef48576..78f65fe81b 100644 > --- a/doc/guides/contributing/vulnerability.rst > +++ b/doc/guides/contributing/vulnerability.rst > @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list > * Major DPDK users, considered trustworthy by the technical board, who > have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_ > > +The `OSS security private mailing list mailto:distros@vs.openwall.org>` will > +also be contacted one week before the end of the embargo, as indicated by `the > +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>` > +and using the PGP key listed on the same page, describind the details of the s/describind/describing/ > +vulnerability and sharing the patch[es]. Distributions and major vendors follow > +this private mailing list, and it functions as a single point of contact for > +embargoed advance notices for open source projects. > + > The security advisory will be based on below template, > and will be sent signed with a security team's member GPG key. > > @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators > do not have to deal with security updates over the weekend. > > The security advisory is posted > -to `announce@dpdk.org <mailto:announce@dpdk.org>`_ > -as soon as the patches are pushed to the appropriate branches. > +to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security > +mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches > +are pushed to the appropriate branches. > > Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_ > and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly. >
On Fri, Sep 27, 2019 at 9:21 AM Maxime Coquelin <maxime.coquelin@redhat.com> wrote: > On 9/21/19 4:52 PM, luca.boccassi@gmail.com wrote: > > From: Luca Boccassi <luca.boccassi@microsoft.com> > > > > The OSS-security project functions as a single point of contact for > > pre-release, embargoed security notifications. Distributions and major > > vendors are subscribed to this private list, so that they can be warned > > in advance and schedule the work required to fix the vulnerability. > > > > List and link this process in the DPDK security process document. > > > > Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com> > > --- > > v1: As discussed at Userspace, we should include oss-security in the advanced > > private notice. This change has a brief explanation and a link to the > > process. > > v2: --signoff missing in v1, lost somewhere between brain and keyboard > > > > doc/guides/contributing/vulnerability.rst | 13 +++++++++++-- > > 1 file changed, 11 insertions(+), 2 deletions(-) > > Thanks Luca, it's much appreciated. > Other than the typo reported below, it looks good to me: > > Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com> > > Maxime > > > > > > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst > > index a4bef48576..78f65fe81b 100644 > > --- a/doc/guides/contributing/vulnerability.rst > > +++ b/doc/guides/contributing/vulnerability.rst > > @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list > > * Major DPDK users, considered trustworthy by the technical board, who > > have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_ > > > > +The `OSS security private mailing list mailto:distros@vs.openwall.org>` will > > +also be contacted one week before the end of the embargo, as indicated by `the > > +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>` > > +and using the PGP key listed on the same page, describind the details of the > > s/describind/describing/ Fixed while applying. > > > +vulnerability and sharing the patch[es]. Distributions and major vendors follow > > +this private mailing list, and it functions as a single point of contact for > > +embargoed advance notices for open source projects. > > + > > The security advisory will be based on below template, > > and will be sent signed with a security team's member GPG key. > > > > @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators > > do not have to deal with security updates over the weekend. > > > > The security advisory is posted > > -to `announce@dpdk.org <mailto:announce@dpdk.org>`_ > > -as soon as the patches are pushed to the appropriate branches. > > +to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security > > +mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches > > +are pushed to the appropriate branches. > > > > Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_ > > and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly. > > Applied, thanks.
diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst index a4bef48576..78f65fe81b 100644 --- a/doc/guides/contributing/vulnerability.rst +++ b/doc/guides/contributing/vulnerability.rst @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list * Major DPDK users, considered trustworthy by the technical board, who have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_ +The `OSS security private mailing list mailto:distros@vs.openwall.org>` will +also be contacted one week before the end of the embargo, as indicated by `the +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>` +and using the PGP key listed on the same page, describind the details of the +vulnerability and sharing the patch[es]. Distributions and major vendors follow +this private mailing list, and it functions as a single point of contact for +embargoed advance notices for open source projects. + The security advisory will be based on below template, and will be sent signed with a security team's member GPG key. @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators do not have to deal with security updates over the weekend. The security advisory is posted -to `announce@dpdk.org <mailto:announce@dpdk.org>`_ -as soon as the patches are pushed to the appropriate branches. +to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security +mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches +are pushed to the appropriate branches. Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_ and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.