Handling Security Issues
We ask people to report security issues regarding the ntp codebase to email@example.com
We ask that people not
directly create bugzilla items for security issues.
- What were the reasons for this?
- I thought one of them was because we were concerned that email might go to bugs@ and we only want it to go to security@
- Are any of them still valid?
- We should consider finding a Security Officer
- Exactly what is the security@ address for?
- Who should be on that list?
Here are some other issues:
- Exactly what is a security issue?
- At what point do we make patches for these issues publically available?
- As we apply commits to
ntp-stable we automatically generate
diff email, commit-log email, in addition to publishing the commits.
- At what point can we remove the security restriction on the bugzilla issue?
- I am inclined to do this when:
- the (first?) patch for the problem is published in a public repo
- after the bug is marked RESOLVED/READY
Is this an acceptable way to evolve a fix for a security issue:
- clone a repo to deal with it
- commit patches to this repo
- make dist tarballs as needed to provide to people for testing
- when ready:
- commit these changes to the parent repo for public release
- mark the issue as VERIFIED
- remove the security restriction from the bugzilla issue
Also note that VERIFIED currently means "the published fix works" and we may want to use something else (flags?) to signify when a fix is know to work and is ready to be published. We might be able to use READY for this case.
Note that if this is a problem for
then one should follow the normal workflow pattern and clone an
repo as well. This includes grabbing changes from the parent repos as needed.
- 25 Aug 2006