doc: Add document on security advisories.

* doc/security-advisories.org: New file.
This commit is contained in:
Ludovic Courtès 2021-02-10 12:45:54 +01:00
parent abfb17bfec
commit 1bc34954ec
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
1 changed files with 37 additions and 0 deletions

View File

@ -0,0 +1,37 @@
#+TITLE: Addressing and announcing security issues
This document describes the process to follow when reporting security
issues in Guix.
* Identify the problem and estimate its impact
This discussion usually happens on the private guix-security@gnu.org
list.
* Work on a fix or workaround
This may happen on guix-security, or it could be tracked in the bug
tracker.
In general, bringing issues to public scrutiny can help raise
awareness and find better solutions.
* Publicize bug and patch at bug-guix@gnu.org
That gives a bug number that can be used to track progress.
* Commit bug fix followed by a =etc/news.scm= entry
Report the commit ID in the bug tracker.
* Announce the issue
** blog post with the “Security Advisory” tag
** message to info-guix@gnu.org
** oss-security list (?)
* Assign a CVE number via https://cveform.mitre.org/ (?)
See also https://cve.mitre.org/cve/request_id.html.