On 9/21/19 4:52 PM, [email protected] wrote:
> From: Luca Boccassi <[email protected]>
>
> The OSS-security project functions as a single point of contact for
> pre-release, embargoed security notifications. Distributions and major
> vendors are subscribed to this private list, so that they can be warned
> in advance and schedule the work required to fix the vulnerability.
>
> List and link this process in the DPDK security process document.
>
> Signed-off-by: Luca Boccassi <[email protected]>
> ---
> v1: As discussed at Userspace, we should include oss-security in the advanced
> private notice. This change has a brief explanation and a link to the
> process.
> v2: --signoff missing in v1, lost somewhere between brain and keyboard
>
> doc/guides/contributing/vulnerability.rst | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
Thanks Luca, it's much appreciated.
Other than the typo reported below, it looks good to me:
Reviewed-by: Maxime Coquelin <[email protected]>
Maxime
>
> diff --git a/doc/guides/contributing/vulnerability.rst
> b/doc/guides/contributing/vulnerability.rst
> index a4bef48576..78f65fe81b 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list
> * Major DPDK users, considered trustworthy by the technical board, who
> have made the request to `[email protected] <mailto:[email protected]>`_
>
> +The `OSS security private mailing list mailto:[email protected]>` will
> +also be contacted one week before the end of the embargo, as indicated by
> `the
> +OSS-security process
> <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
> +and using the PGP key listed on the same page, describind the details of the
s/describind/describing/
> +vulnerability and sharing the patch[es]. Distributions and major vendors
> follow
> +this private mailing list, and it functions as a single point of contact for
> +embargoed advance notices for open source projects.
> +
> The security advisory will be based on below template,
> and will be sent signed with a security team's member GPG key.
>
> @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that
> system administrators
> do not have to deal with security updates over the weekend.
>
> The security advisory is posted
> -to `[email protected] <mailto:[email protected]>`_
> -as soon as the patches are pushed to the appropriate branches.
> +to `[email protected] <mailto:[email protected]>`_ and to `the public
> OSS-security
> +mailing list <mailto:[email protected]>` as soon as the patches
> +are pushed to the appropriate branches.
>
> Patches are then sent to `[email protected] <mailto:[email protected]>`_
> and `[email protected] <mailto:[email protected]>`_ accordingly.
>
