maintenance/doc/security-advisories.org

Addressing and announcing security issues

• Identify the problem and estimate its impact
• Work on a fix or workaround
• Publicize bug and patch at bug-guix@gnu.org
• Commit bug fix followed by a etc/news.scm entry
• Announce the issue
  • blog post with the “Security Advisory” tag
  • message to info-guix@gnu.org
  • oss-security list (?)
• Assign a CVE number via https://cveform.mitre.org/ (?)

This document describes the process to follow when reporting security issues in Guix.

Identify the problem and estimate its impact

This discussion usually happens on the private guix-security@gnu.org list.

Work on a fix or workaround

This may happen on guix-security, or it could be tracked in the bug tracker.

In general, bringing issues to public scrutiny can help raise awareness and find better solutions.

Publicize bug and patch at bug-guix@gnu.org

That gives a bug number that can be used to track progress.

Commit bug fix followed by a etc/news.scm entry

Report the commit ID in the bug tracker.

Announce the issue

blog post with the “Security Advisory” tag

message to info-guix@gnu.org

oss-security list (?)

Assign a CVE number via https://cveform.mitre.org/ (?)

See also https://cve.mitre.org/cve/request_id.html.