guix
/
maintenance
mirror of git://git.savannah.gnu.org/guix/maintenance.git
2
0
Fork 0
Code Issues Releases Wiki Activity

security-advisories: Expound. 

* doc/security-advisories.org: Expound.
This commit is contained in:
Ludovic Courtès 2021-04-02 23:18:38 +02:00
parent 9663c1f6c8
commit 258220b06e
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
1 changed files with 41 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
doc/security-advisories.org
View File

@ -20,17 +20,53 @@ issues in Guix.
That gives a bug number that can be used to track progress.
* Commit bug fix followed by a =etc/news.scm= entry
The bug report should mention, in this order:
Report the commit ID in the bug tracker.
1. whos affected and whos not (especially Guix System vs. foreign
distros);
2. what users need to do to be safe;
3. what the problem was and how it could be exploited.
The bug report may contain the patch (bug fix) as an attachment.
* Commit the bug fix
The commit log of the bug fix should contain the line:
#+begin_example
Fixes <https://bugs.gnu.org/NNN>.
#+end_example
where NNN is the bug number obtained above.
* Commit a =etc/news.scm= entry as a followup
The news entry should be a simplified version of the bug report, with
the understanding that it will be read by users who just upgraded or
who are about to upgrade (in cases where the upgrade requires
additional step, such as running =guix system reconfigure=).
* Report the commit ID in the bug tracker
Once these two commits have been pushed, reply to NNN@debbugs.gnu.org
giving the commit ID that contains the fix.
* Announce the issue
** blog post with the “Security Advisory” tag
** Wrote a blog post with the “Security Advisory” tag
** message to info-guix@gnu.org
The blog post should roughly the same as the bug report above. It
should contain the bug report URL. Blog posts are available at
https://git.savannah.gnu.org/cgit/guix/guix-artwork.git/tree/website/posts.
** oss-security list (?)
** Send email to info-guix@gnu.org
The message be again roughly the same as the blog post, as plain
text, GPG-signed.
** Send email to the oss-security list (optionally)
If deemed useful, email the [[https://www.openwall.com/lists/oss-security/][oss-security list]].
* Assign a CVE number via https://cveform.mitre.org/ (?)