gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 02/178: SECURITY-PROCESS: mention how we write/add

From: gnunet
Subject: [GNUnet-SVN] [gnurl] 02/178: SECURITY-PROCESS: mention how we write/add advisories
Date: Wed, 23 May 2018 12:23:57 +0200 
This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit a857057536df6e55cb8eec0f894c192fe594272d
Author: Daniel Stenberg <address@hidden>
AuthorDate: Wed Mar 14 14:20:24 2018 +0100

    SECURITY-PROCESS: mention how we write/add advisories
---
 docs/SECURITY-PROCESS.md | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index d39c5a1fb..4991d5fb7 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -56,9 +56,9 @@ announcement.
   then a separate earlier release for security reasons should be considered.
 
 - Write a security advisory draft about the problem that explains what the
-  problem is, its impact, which versions it affects, solutions or
-  workarounds, when the release is out and make sure to credit all
-  contributors properly.
+  problem is, its impact, which versions it affects, solutions or workarounds,
+  when the release is out and make sure to credit all contributors properly.
+  Figure out the CWE (Common Weakness Enumeration) number for the flaw.
 
 - Request a CVE number from
   address@hidden(http://oss-security.openwall.org/wiki/mailing-lists/distros)
@@ -114,3 +114,26 @@ plans in vanishing in the near future.
 
 We do not make the list of participants public mostly because it tends to vary
 somewhat over time and a list somewhere will only risk getting outdated.
+
+Publishing Security Advisories
+------------------------------
+
+1. Write up the security advisory, using markdown syntax. Use the same
+   subtitles as last time to maintain consistency.
+
+2. Name the advisory file (and ultimately the URL to be used when the flaw
+   gets published), using a randomized component so that third parties that
+   are involved in the process for each individual flaw will not be given
+   insights about possible *other* flaws worked on in parallel.
+   `adv_YEAR_RANDOM.md` has been used before.
+
+3. Add a line on the top of the array in `curl-www/docs/vuln.pm'.
+
+4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it
+   to the git repo.  Update the Makefile in the same directory to build the
+   HTML representation.
+
+5. Run `make` in your local web checkout and verify that things look fine.
+
+6. On security advisory release day, push the changes on the curl-www
+   repository's remote master branch.

-- 
To stop receiving notification emails like this one, please contact
address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]