935 B
935 B
Addressing and announcing security issues
- Identify the problem and estimate its impact
- Work on a fix or workaround
- Publicize bug and patch at bug-guix@gnu.org
- Commit bug fix followed by a
etc/news.scm
entry - Announce the issue
- Assign a CVE number via https://cveform.mitre.org/ (?)
This document describes the process to follow when reporting security issues in Guix.
Identify the problem and estimate its impact
This discussion usually happens on the private guix-security@gnu.org list.
Work on a fix or workaround
This may happen on guix-security, or it could be tracked in the bug tracker.
In general, bringing issues to public scrutiny can help raise awareness and find better solutions.
Publicize bug and patch at bug-guix@gnu.org
That gives a bug number that can be used to track progress.
Commit bug fix followed by a etc/news.scm
entry
Report the commit ID in the bug tracker.