security-advisories: Expound.
* doc/security-advisories.org: Expound.
This commit is contained in:
parent
9663c1f6c8
commit
258220b06e
|
@ -20,17 +20,53 @@ issues in Guix.
|
|||
|
||||
That gives a bug number that can be used to track progress.
|
||||
|
||||
* Commit bug fix followed by a =etc/news.scm= entry
|
||||
The bug report should mention, in this order:
|
||||
|
||||
Report the commit ID in the bug tracker.
|
||||
1. who’s affected and who’s not (especially Guix System vs. foreign
|
||||
distros);
|
||||
2. what users need to do to be safe;
|
||||
3. what the problem was and how it could be exploited.
|
||||
|
||||
The bug report may contain the patch (bug fix) as an attachment.
|
||||
|
||||
* Commit the bug fix
|
||||
|
||||
The commit log of the bug fix should contain the line:
|
||||
|
||||
#+begin_example
|
||||
Fixes <https://bugs.gnu.org/NNN>.
|
||||
#+end_example
|
||||
|
||||
where NNN is the bug number obtained above.
|
||||
|
||||
* Commit a =etc/news.scm= entry as a followup
|
||||
|
||||
The news entry should be a simplified version of the bug report, with
|
||||
the understanding that it will be read by users who just upgraded or
|
||||
who are about to upgrade (in cases where the upgrade requires
|
||||
additional step, such as running =guix system reconfigure=).
|
||||
|
||||
* Report the commit ID in the bug tracker
|
||||
|
||||
Once these two commits have been pushed, reply to NNN@debbugs.gnu.org
|
||||
giving the commit ID that contains the fix.
|
||||
|
||||
* Announce the issue
|
||||
|
||||
** blog post with the “Security Advisory” tag
|
||||
** Wrote a blog post with the “Security Advisory” tag
|
||||
|
||||
** message to info-guix@gnu.org
|
||||
The blog post should roughly the same as the bug report above. It
|
||||
should contain the bug report URL. Blog posts are available at
|
||||
https://git.savannah.gnu.org/cgit/guix/guix-artwork.git/tree/website/posts.
|
||||
|
||||
** oss-security list (?)
|
||||
** Send email to info-guix@gnu.org
|
||||
|
||||
The message be again roughly the same as the blog post, as plain
|
||||
text, GPG-signed.
|
||||
|
||||
** Send email to the oss-security list (optionally)
|
||||
|
||||
If deemed useful, email the [[https://www.openwall.com/lists/oss-security/][oss-security list]].
|
||||
|
||||
* Assign a CVE number via https://cveform.mitre.org/ (?)
|
||||
|
||||
|
|
Loading…
Reference in New Issue