doc: Add document on security advisories.
* doc/security-advisories.org: New file.
This commit is contained in:
parent
abfb17bfec
commit
1bc34954ec
|
@ -0,0 +1,37 @@
|
|||
#+TITLE: Addressing and announcing security issues
|
||||
|
||||
This document describes the process to follow when reporting security
|
||||
issues in Guix.
|
||||
|
||||
* Identify the problem and estimate its impact
|
||||
|
||||
This discussion usually happens on the private guix-security@gnu.org
|
||||
list.
|
||||
|
||||
* Work on a fix or workaround
|
||||
|
||||
This may happen on guix-security, or it could be tracked in the bug
|
||||
tracker.
|
||||
|
||||
In general, bringing issues to public scrutiny can help raise
|
||||
awareness and find better solutions.
|
||||
|
||||
* Publicize bug and patch at bug-guix@gnu.org
|
||||
|
||||
That gives a bug number that can be used to track progress.
|
||||
|
||||
* Commit bug fix followed by a =etc/news.scm= entry
|
||||
|
||||
Report the commit ID in the bug tracker.
|
||||
|
||||
* Announce the issue
|
||||
|
||||
** blog post with the “Security Advisory” tag
|
||||
|
||||
** message to info-guix@gnu.org
|
||||
|
||||
** oss-security list (?)
|
||||
|
||||
* Assign a CVE number via https://cveform.mitre.org/ (?)
|
||||
|
||||
See also https://cve.mitre.org/cve/request_id.html.
|
Loading…
Reference in New Issue