[dpdk-dev] [PATCH v2] doc: add oss-security to the security process

[David Marchand]

On Fri, Sep 27, 2019 at 9:21 AM Maxime Coquelin
<maxime.coquelin at redhat.com> wrote:
> On 9/21/19 4:52 PM, luca.boccassi at gmail.com wrote:
> > From: Luca Boccassi <luca.boccassi at microsoft.com>
> >
> > The OSS-security project functions as a single point of contact for
> > pre-release, embargoed security notifications. Distributions and major
> > vendors are subscribed to this private list, so that they can be warned
> > in advance and schedule the work required to fix the vulnerability.
> >
> > List and link this process in the DPDK security process document.
> >
> > Signed-off-by: Luca Boccassi <luca.boccassi at microsoft.com>
> > ---
> > v1: As discussed at Userspace, we should include oss-security in the advanced
> >     private notice. This change has a brief explanation and a link to the
> >     process.
> > v2: --signoff missing in v1, lost somewhere between brain and keyboard
> >
> >  doc/guides/contributing/vulnerability.rst | 13 +++++++++++--
> >  1 file changed, 11 insertions(+), 2 deletions(-)
>
> Thanks Luca, it's much appreciated.
> Other than the typo reported below, it looks good to me:
>
> Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
>
> Maxime
>
>
> >
> > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> > index a4bef48576..78f65fe81b 100644
> > --- a/doc/guides/contributing/vulnerability.rst
> > +++ b/doc/guides/contributing/vulnerability.rst
> > @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list
> >  * Major DPDK users, considered trustworthy by the technical board, who
> >    have made the request to `techboard at dpdk.org <mailto:techboard at dpdk.org>`_
> >
> > +The `OSS security private mailing list mailto:distros at vs.openwall.org>` will
> > +also be contacted one week before the end of the embargo, as indicated by `the
> > +OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
> > +and using the PGP key listed on the same page, describind the details of the
>
> s/describind/describing/

Fixed while applying.

>
> > +vulnerability and sharing the patch[es]. Distributions and major vendors follow
> > +this private mailing list, and it functions as a single point of contact for
> > +embargoed advance notices for open source projects.
> > +
> >  The security advisory will be based on below template,
> >  and will be sent signed with a security team's member GPG key.
> >
> > @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators
> >  do not have to deal with security updates over the weekend.
> >
> >  The security advisory is posted
> > -to `announce at dpdk.org <mailto:announce at dpdk.org>`_
> > -as soon as the patches are pushed to the appropriate branches.
> > +to `announce at dpdk.org <mailto:announce at dpdk.org>`_ and to `the public OSS-security
> > +mailing list <mailto:oss-security at lists.openwall.com>` as soon as the patches
> > +are pushed to the appropriate branches.
> >
> >  Patches are then sent to `dev at dpdk.org <mailto:dev at dpdk.org>`_
> >  and `stable at dpdk.org <mailto:stable at dpdk.org>`_ accordingly.
> >

Applied, thanks.


-- 
David Marchand