From 212227125e2ef6f090e98db71f1576c31f20baad Mon Sep 17 00:00:00 2001 From: Roberto Sora Date: Fri, 15 Jan 2021 17:26:52 +0100 Subject: [PATCH] break everything --- README.md | 292 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 230 insertions(+), 62 deletions(-) diff --git a/README.md b/README.md index 72faa07..6798b01 100644 --- a/README.md +++ b/README.md @@ -1,79 +1,247 @@ -# Create Changelog +# Proposal: Security Policy for Go -[![Actions Status](https://github.com/arduino/create-changelog/workflows/Test%20Action/badge.svg)](https://github.com/arduino/create-changelog/actions) +Author(s): Jason Buberel -This actions is an highly opinionated tool that creates changelogs from the git repository commit history. +Last updated: 2015-07-31 -If no property is set the changelog will be created from the current commit to the previous existing tag or the first commit. +Discussion at https://golang.org/issue/11502. + +## Abstract -## Usage +Go programs are being deployed as part of security-critical applications. +Although Go has a generally good history of being free of security +vulnerabilities, the current process for handling security issues is very +informal. In order to be more transparent and the better coordinate with the +community, I am proposing that the Go project adopt a well-defined security +and vulnerability disclosure policy. -This action is meant to be launched inside a Git repository, thus the current `working-directory` must be set accordingly or it will fail. +## Background -The action accepts some properties: +The Go standard library includes a complete, modern [cryptography +package](https://golang.org/pkg/crypto/). Since the initial release of Go, +there has a single documented security vulnerability [CVE-2014-7189] +(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7189) in the crypto +package. This is a promising track record, but as Go usage increases the +language and standard library will come under increasing scrutiny by the +security research community. + +In order to better manage security issues, a formal security policy for Go +should be established. + +Other language and library open source projects have established security +policies. The following policies were reviewed and considered in the creation +of this proposal: + +* [Python Security Policy](https://www.python.org/news/security/) +* [Ruby on Rails Security Policy](http://rubyonrails.org/security/) +* [Rust Security Policy](https://www.rust-lang.org/security.html) +* [Webkit Security Policy](https://www.webkit.org/security/) +* [Xen Project Security Policy](https://www.xenproject.org/security-policy.html) + +These policies differ in various aspects, but in general there is a common set +of guidelines that are typically established: + +* How security issues should be reported +* Who will be responsible for reviewing these reports +* What is the response time promises made for initial review +* Exactly what steps will be followed for handing issues +* What type of embargo period will be applied +* How will communication of issues be handled, both pre- and post-disclosure + +It was also suggested that the Go project consider the use of managed security +services, such as [HackerOne](https://hackerone.com/). The consensus of +commenters on this topic was a reluctance to base the Go process on a third- +party system at this time. + + +## Proposal + +Among the existing security policies reviewed, the [Rust +policy](https://www.rust-lang.org/security.html) is considered a good starting +point. Once adopted, this policy will be hosted at +[https://golang.org/security](https://golang.org/security). The details of the +policy are in the Implementation section below. + +## Implementation + +### Reporting a Security Bug + +Safety is one of the core principles of Go, and to that end, we would like to +ensure that Go has a secure implementation. Thank you for taking the time to +responsibly disclose any issues you find. + +All security bugs in the Go distribution should be reported by email to +[security@golang.org](mailto:security@golang.org). This list is delivered to a +small security team. Your email will be acknowledged within 24 hours, and +you'll receive a more detailed response to your email within 72 hours +indicating the next steps in handling your report. If you would like, you can +encrypt your report using our PGP key (listed below). + +Please use a descriptive subject line for your report email. After the initial +reply to your report, the security team will endeavor to keep you informed of +the progress being made towards a fix and full announcement. As recommended by +RFPolicy, these updates will be sent at least every five days. In reality, +this is more likely to be every 24-48 hours. + +If you have not received a reply to your email within 48 hours, or have not +heard from the security team for the past five days, please contact the +following members of the Go security team directly: + +* Contact the primary security coordinator - [Andrew Gerrand] +(mailto:adg@golang.org) - directly. +* Contact the secondary coordinator - [Adam Langley](mailto:agl@google.com) - +[public key](https://www.imperialviolet.org/key.asc) directly. +* Post a message to [golang-dev@golang.org](mailto:golang-dev@golang.org) or +[golang-dev web interface] +(https://groups.google.com/forum/#!forum/golang-dev). + +Please note that golang-dev@golang.org is a public discussion forum. When +escalating on this list, please do not disclose the details of the issue. +Simply state that you're trying to reach a member of the security team. + +### Flagging Existing Issues as Security-related + +If you believe that an [existing issue](https://github.com/golang/go/issues) +is security-related, we ask that you send an email to +[security@golang.org](mailto:security@golang.org). The email +should include the issue ID and a short description of why it should be +handled according to this security policy. + +### Disclosure Process + +The Go project will use the following disclosure process: + +1. Once the security report is received it will be assigned a primary handler. +This person will coordinate the fix and release process. +1. The problem will be confirmed and a list of all affected versions is +determined. +1. Code will be audited to find any potential similar problems. +1. If it is determined, in consultation with the submitter, that a CVE-ID is +required the primary handler will be responsible for obtaining via email +to the [oss-distros] +(http://oss-security.openwall.org/wiki/mailing-lists/distros) list. +1. Fixes will be prepared for the current stable release and the head/master +revision. These fixes will not be committed to the public repository. +1. Details of the issue and patch files will be sent to the +[distros@openwall] +(http://oss-security.openwall.org/wiki/mailing-lists/distros) +mailing list. +1. Three working days following this notification, the fixes will be +applied to the [public repository](https://go.googlesource.com/go) and new +builds deployed to [https://golang.org/dl](https://golang.org/dl) +1. On the date that the fixes are applied, announcements will be sent to +[golang-announce] +(https://groups.google.com/forum/#!forum/golang-announce), +[golang-dev@golang.org](https://groups.google.com/forum/#!forum/golang-dev), +[golang-nuts@golang.org](https://groups.google.com/forum/#!forum/golang-nuts) +and the [oss-security@openwall](http://www.openwall.com/lists/oss-security/). +1. Within 6 hours of the mailing lists being notified, a copy of the advisory +will also be published on the [Go blog](https://blog.golang.org). + +This process can take some time, especially when coordination is required with +maintainers of other projects. Every effort will be made to handle the bug in +as timely a manner as possible, however it's important that we follow the +release process above to ensure that the disclosure is handled in a consistent +manner. + +For those security issues that include the assignment of a CVE-ID, the issue +will be publicly listed under the ["Golang" product on the CVEDetails +website] +(http://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html) +as well as the [National Vulnerability Disclosure site] +(https://web.nvd.nist.gov/view/vuln/search). + +### Receiving Security Updates + +The best way to receive security announcements is to subscribe to the +[golang-announce] +(https://groups.google.com/forum/#!forum/golang-announce) +mailing list. Any messages pertaining to a security issue will be prefixed +with `[security]`. + +### Comments on This Policy + +If you have any suggestions to improve this policy, please send an email to +[golang-dev@golang.org](mailto:golang-dev@golang.org) for discussion. + +### Plaintext PGP Key for [security@golang.org](mailto:security@golang.org) -- `tag-regex` to pick which tags are taken into consideration to create the changelog, the example below would ignore all tags except those matching it, `0.0.1` would be accepted but `v0.0.1` or `0.0.1-rc` would be ignored. - By default any tag is used. - -``` - - name: Create Changelog - uses: arduino/create-changelog@v1 - with: - tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+$' -``` - -- `filter-regex` to skip certain commmits based on their message, the example below would skip all commits that start with the `[skip]` string. - By default no commit is skipped. - -``` - - name: Create Changelog - uses: arduino/create-changelog@v1 - with: - filter-regex: '^\[skip\].*' -``` - -- `changelog-file-path` to select the path and the name of the changelog file to be saved, the example below would save a `MyChangelog.md` file to the current `working-directory`. - By default `CHANGELOG.md` is used. - -``` - - name: Create Changelog - uses: arduino/create-changelog@v1 - with: - changelog-file-path: 'MyChangelog.md' ``` +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: GPGTools - https://gpgtools.org + +mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te ++fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT +J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L +ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75 +8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3 +oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc +7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF +X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN +JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk +xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE +0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB +tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCPQQTAQoA +JwUCVcjWHQIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA6RtGR +eVpYOLnDD/9YVTd6DTwdJq6irVfM/ICPlPTXB0JLERqCI1Veptcp56eQoJ0XWGQp +tkGlgbvmCzFo0B+65Te7YA4R3oyBCXd6JgyWQQPy5p60FHyuuCPVAReclSWyt9f2 +Yj/u4DjghKhELOvPiI96egcU3g9jrEEcPjm7JYkc9M2gVSNOnnJvcD7wpQJNCzon +51eMZ1ZyfA5UCBTa0SaT9eXg5zwNlYQnB6ZF6TjXezkhLqlTsBuHxoNVf+9vCC0o +ZKIM2ovptMx9eEguTDKWaQ7tero7Zs/q5fwk/MDzM/LGJ9aXy2RCtqBxv46vDS7G +fCNq+aPD/wyFd6hxQkvkua6hgZwYT+cJWHYA2Yv0LO3BYOJdjfc+j2hjv+mC9lF0 +UpWhCVJv3hHoFaxnz62GdROzf2wXz6aR9Saj1rYSvqT9jC20VInxqMufXNN2sbpo +Kyk6MTbAeepphQpfAWQv+ltWgBiEjuFxYdwv/vmw20996JV7O8nqkeCUW84B6su+ +Y3bbdP9o3DBtOT0j9LTB/FucmdNCNHoO+EnNBKJd6FoYTGLWi3Rq9DLx2V9tdJHo +Bn67dymcl+iyp337HJNY+qS+KCgoqAWlxkzXRiXKb/yluhXdIkqhg4kL8JPAJvfS +cs7Zn67Mx04ixJnRMYCDmxtD4xPsFMzM7g8m3PQp+nE7WhujM/ImM7kCDQRVyNYd +ARAAlw9H/1ybQs4K3XKA1joII16rta9KS7ew76+agXo0jeSRwMEQfItOxYvfhmo8 ++ydn5TWsTbifGU8L3+EBTMRRyzWhbaGO0Wizw7BTVJ7n5JW+ndPrcUpp/ilUk6AU +VxaO/8/R+9+VJZpoeoLHXYloFGNuX58GLIy1jSBvLsLl/Ki5IOrHvD1GK6TftOl5 +j8IPC1LSBrwGJO803x7wUdQP/tsKN/QPR8pnBntrEgrQFSI+Q3qrCvVMmXnBlYum +jfOBt8pKMgB9/ix+HWN8piQNQiJxD+XjEM6XwUmQqIR7y5GINKWgundCmtYIzVgY +9p2Br6UPrTJi12LfKv5s2R6NnxFHv/ad29CpPTeLJRsSqFfqBL969BCpj/isXmQE +m4FtziZidARXo12KiGAnPF9otirNHp4+8hwNB3scf7cI53y8nZivO9cwI7BoClY6 +ZIabjDcJxjK+24emoz3mJ5SHpZpQLSb9o8GbLLfXOq+4uzEX2A30fhrtsQb/x0GM +4v3EU1aP2mjuksyYbgldtY64tD35wqAA9mVl5Ux+g1HoUBvLw0h+lzwh370NJw// +ITvBQVUtDMB96rfIP4fL5pYl5pmRz+vsuJ0iXzm05qBgKfSqO7To9SWxQPdX89R4 +u0/XVAlw0Ak9Zceq3W96vseEUTR3aoZCMIPiwfcDaq60rWUAEQEAAYkCJQQYAQoA +DwUCVcjWHQIbDAUJB4YfgAAKCRA6RtGReVpYOEg/EADZcIYw4q1jAbDkDy3LQG07 +AR8QmLp/RDp72RKbCSIYyvyXEnmrhUg98lUG676qTH+Y7dlEX107dLhFuKEYyV8D +ZalrFQO/3WpLWdIAmWrj/wq14qii1rgmy96Nh3EqG3CS50HEMGkW1llRx2rgBvGl +pgoTcwOfT+h8s0HlZdIS/cv2wXqwPgMWr1PIk3as1fu1OH8n/BjeGQQnNJEaoBV7 +El2C/hz3oqf2uYQ1QvpU23F1NrstekxukO8o2Y/fqsgMJqAiNJApUCl/dNhK+W57 +iicjvPirUQk8MUVEHXKhWIzYxon6aEUTx+xyNMBpRJIZlJ61FxtnZhoPiAFtXVPb ++95BRJA9npidlVFjqz9QDK/4NSnJ3KaERR9tTDcvq4zqT22Z1Ai5gWQKqogTz5Mk +F+nZwVizW0yi33id9qDpAuApp8o6AiyH5Ql1Bo23bvqS2lMrXPIS/QmPPsA76CBs +lYjQwwz8abUD1pPdzyYtMKZUMwhicSFOHFDM4oQN16k2KJuntuih8BKVDCzIOq+E +KHyeh1BqWplUtFh1ckxZlXW9p9F7TsWjtfcKaY8hkX0Cr4uVjwAFIjLcAxk67ROe +huEb3Gt+lwJz6aNnZUU87ukMAxRVR2LL0btdxgc6z8spl66GXro/LUkXmAdyOEMV +UDrmjf9pr7o00hC7lCHFzw== +=WE0r +-----END PGP PUBLIC KEY BLOCK----- -- `case-insensitive-regex` to make both `tag-regex` and `filter-regex` case insensitive, defaults to `false`. - -``` - - name: Create Changelog - uses: arduino/create-changelog@v1 - with: - case-insensitive-regex: true ``` -## Development +## Rationale -To work on the codebase you have to install all the dependencies: +### Early Disclosure -```sh -# npm install -``` - -To run tests: - -```sh -# npm run test -``` +The Go security policy does not contain a provision for the early disclosure +of vulnerabilities to a small set of "trusted" partners. The Xen and WebKit +policies do contain provisions for this. According to several members of the +security response team at Google (Ben Laurie, Adam Langley), it is incredibly +difficult to retain secrecy of embargoed issues once they have been shared +with even a small number of partners. -See the [official Github documentation][pat-docs] to know more about Personal Access Tokens. +### Security Review Team Membership -## Release +The Go security policy does not contain formal provisions for nomination or +removal of members of the security review team. WebKit, for example, specifies +how new members can become members of the security review team. This may be +needed for the Go project at some point in the future; it does not seem +necessary at this time. -1. `npm install` to add all the dependencies, included development. -2. `npm run build` to build the Action under the `./lib` folder. -3. `npm run test` to see everything works as expected. -4. `npm run pack` to package for distribution -5. `git add src dist` to check in the code that matters. -6. open a PR and request a review. +## Open issues -[pat-docs]: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token +* PGP key pair needed for security@golang.org address. +* Need to designate a primary and secondary alternative contact.