On 7/29/2021 3:29 PM, Even Rouault
wrote:
Fair
point. I've added a commit with the following text "However please
refrain from publicly posting exploits with harmful consequences
(data destruction,
etc.). Only people with the github handles
I've read the security.md file and maybe I'm running a little slow
today, but I still don't understand how I would go about reporting a
serious security bug and what will happen afterwards.
Let's say I find a really serious vulnerability, something that might
let me erase your file system,
On 7/29/2021 11:20 AM, Even Rouault
wrote:
I've
created https://github.com/OSGeo/gdal/pull/4152
with a SECURITY.md that largely uses Kurt's proposal.
Even
I've read the security.md file and maybe I'm running a little slow
I've created https://github.com/OSGeo/gdal/pull/4152 with a SECURITY.md
that largely uses Kurt's proposal.
Even
Le 28/07/2021 à 19:37, Even Rouault a écrit :
PSC,
We just got https://github.com/OSGeo/gdal/issues/4146 from someone
trying to get in touch with a security issue. How do we want
From the semi-outside, and packaging perspective, I can completely
understand not having a full-blown private security process. It's
certainly a lot of work.
Some upstream packages have private reporting paths, and develop and
test patches in secret, even including packagers. I have several
Even,
I agree with you and Kurt that we should try to avoid the overhead of
special security handling. MapServer is intended to be web facing. GDAL
is not. That said, we should attempt to resolve security issues in the
normal course of bug fixing and releases. If there is a strong case for a
My take is pretty much the same as Even's. I suggest that we add a
SECURITY.md that says we do not currently treat security bugs in gdal
privately and that we don't generally do specific releases for security
issues. I thought there used to be a statement somewhere in the files
that said that
PSC,
We just got https://github.com/OSGeo/gdal/issues/4146 from someone
trying to get in touch with a security issue. How do we want to deal
with that ? Personally dealing with all the secrecy about security
issues is not super appealing and my natural inclination would be to
deal with them