Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: create security policy #16140

Merged
merged 1 commit into from Jun 5, 2019
Merged

docs: create security policy #16140

merged 1 commit into from Jun 5, 2019

Conversation

@narula
Copy link
Member

@narula narula commented Jun 3, 2019

Github has started supporting SECURITY.md to contain a project's
security policy. Right now, the only place to find this project's
security contact is on bitcoincore.org. Adding this information to the
repository makes it easier to find as SECURITY.md becomes a standard.

This is copied almost exactly from https://bitcoincore.org/en/contact/
and based on conversations with EthanHeilman.

@fanquake fanquake added the Docs label Jun 3, 2019
@EthanHeilman
Copy link
Contributor

@EthanHeilman EthanHeilman commented Jun 3, 2019

In the official github SECURITY.md template they have the a "versions supported" section and a ## Reporting a Vulnerability header. I don't see the versions table as necessary, but there might be some use to including the ## Reporting a Vulnerability header as it would keep the same pattern as the default template.

@naumenkogs
Copy link
Member

@naumenkogs naumenkogs commented Jun 3, 2019

ACK.
I think this is a great idea, thank you.

@theuni
Copy link
Member

@theuni theuni commented Jun 4, 2019

ACK.

Github's (sparse) documentation for SECURITY.md can be seen here: https://help.github.com/en/articles/adding-a-security-policy-to-your-repository

It's intended to provide a standard place for these policies. By merging this here, I suspect we'll see a trickle effect as our downstreams rebase and insert their own policies.

Also, it's worth mentioning that @narula pitched this idea to Github a few months ago (we were calling it DISCLOSURE.md then). Something might've been in the works already, but the nudge couldn't have hurt. Thanks!

@practicalswift
Copy link
Contributor

@practicalswift practicalswift commented Jun 4, 2019

ACK c5fa63b

Welcome as a contributor @narula! :-)

@fanquake
Copy link
Member

@fanquake fanquake commented Jun 4, 2019

utACK c5fa63b

So this will also populate this tab:

security policy

jamesob
jamesob approved these changes Jun 4, 2019
Copy link
Member

@jamesob jamesob left a comment

utACK c5fa63b

Compared GPG fingerprints to those on the bitcoincore.org.

@narula narula force-pushed the security-policy branch 2 times, most recently from da97216 to c6d0588 Jun 4, 2019
@narula
Copy link
Member Author

@narula narula commented Jun 4, 2019

Rebased and added ## Reporting a vulnerability line to address @EthanHeilman's point about making this consistent with default Github formatting.

@jonasschnelli
Copy link
Contributor

@jonasschnelli jonasschnelli commented Jun 4, 2019

ACK c6d0588 (verified the keys)

Copy link
Member

@fanquake fanquake left a comment

re-ACK c6d0588

security

@promag
Copy link
Member

@promag promag commented Jun 4, 2019

utACK c6d0588.

@MarcoFalke
Copy link
Member

@MarcoFalke MarcoFalke commented Jun 4, 2019

Concept ACK. I think we should also move the EOL policy from the website into the repo, but that might be also good for a follow up pull request.

From the template:

## Supported Versions

Use this section to tell people about which versions of your project are
currently being supported with security updates.

| Version | Supported          |
| ------- | ------------------ |
| 5.1.x   | :white_check_mark: |
| 5.0.x   | :x:                |
| 4.0.x   | :white_check_mark: |
| < 4.0   | :x:                |

@narula
Copy link
Member Author

@narula narula commented Jun 4, 2019

@MarcoFalke I could add something like the following to comply with the suggested format. It's a bit annoying to have the same information in two places...

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.18    | :white_check_mark: |
| 0.17    | :white_check_mark: |
| 0.16    | :white_check_mark: |
| 0.15    | :white_check_mark: |
| < 0.15  | :x:                |

Github has started supporting SECURITY.md to contain a project's
security policy. Right now, the only place to find this project's
security contact is on bitcoincore.org. Adding this information to the
repository makes it easier to find as SECURITY.md becomes a standard.

This is copied almost exactly from https://bitcoincore.org/en/contact/
and based on conversations with Ethan Heilman.
@narula narula force-pushed the security-policy branch from c6d0588 to fdd7fa1 Jun 5, 2019
@narula
Copy link
Member Author

@narula narula commented Jun 5, 2019

Added Supported Versions. Pending re-ACKs on the GPG keys with the new commit hash, is this good to merge?

@laanwj
Copy link
Member

@laanwj laanwj commented Jun 5, 2019

ACK fdd7fa1

Copy link
Member

@fanquake fanquake left a comment

ACK fdd7fa1

@laanwj laanwj merged commit fdd7fa1 into bitcoin:master Jun 5, 2019
1 of 2 checks passed
laanwj added a commit that referenced this issue Jun 5, 2019
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
@sipa
Copy link
Member

@sipa sipa commented Jun 5, 2019

How do we plan to maintain the accuracy of this file's contents in release branches?

@EthanHeilman
Copy link
Contributor

@EthanHeilman EthanHeilman commented Jun 5, 2019

@sipa Can updating this file be folded into the release process?

@laanwj
Copy link
Member

@laanwj laanwj commented Jun 5, 2019

I think this file is only important in master, because that's where github (as I understand) looks to display it. So maybe it'd make sense to remove it when branching.

(there's some other process related documents with the same problem, where the answer is basically always 'look at the version in master', like release-proces.md, developer-notes.md and maybe more)

@sipa
Copy link
Member

@sipa sipa commented Jun 5, 2019

@laanwj That makes sense.

@jnewbery
Copy link
Member

@jnewbery jnewbery commented Jun 6, 2019

ACK fdd7fa1

Verified the fingerprints match bitcoincore.org.

laanwj added a commit that referenced this issue Jun 8, 2019
d7c0542 doc: update release process with SECURITY.md (Jon Atack)
e4e2b28 doc: clarify support in SECURITY.md (Jon Atack)

Pull request description:

  Follow-up to #16140:

  - Update the release process to maintain SECURITY.md; this looks like the sort of item that can otherwise be easily overlooked during a major release

  - Clarify type of support in SECURITY.md

  Question: If https://bitcoincore.org/en/lifecycle/#maintenance-period is still current policy, should v0.15 now be unmaintained and v0.16 EOL... seems the schedule on that page could use an update.

ACKs for commit d7c054:
  practicalswift:
    ACK d7c0542
  fanquake:
    ACK d7c0542. This seems to make sense.

Tree-SHA512: ce0f832d9804d7bfd29f2361948d7d6a4e93004a1f57e07a95dfba056caa4d8c4552267c66e6728b689b0309f4688c2d8d59d7b0c26b838c6a30df878a69fceb
sidhujag added a commit to syscoin/syscoin that referenced this issue Jun 9, 2019
d7c0542 doc: update release process with SECURITY.md (Jon Atack)
e4e2b28 doc: clarify support in SECURITY.md (Jon Atack)

Pull request description:

  Follow-up to bitcoin#16140:

  - Update the release process to maintain SECURITY.md; this looks like the sort of item that can otherwise be easily overlooked during a major release

  - Clarify type of support in SECURITY.md

  Question: If https://bitcoincore.org/en/lifecycle/#maintenance-period is still current policy, should v0.15 now be unmaintained and v0.16 EOL... seems the schedule on that page could use an update.

ACKs for commit d7c054:
  practicalswift:
    ACK d7c0542
  fanquake:
    ACK bitcoin@d7c0542. This seems to make sense.

Tree-SHA512: ce0f832d9804d7bfd29f2361948d7d6a4e93004a1f57e07a95dfba056caa4d8c4552267c66e6728b689b0309f4688c2d8d59d7b0c26b838c6a30df878a69fceb
PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this issue Jun 27, 2021
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this issue Jun 28, 2021
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this issue Jun 29, 2021
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this issue Jul 1, 2021
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this issue Jul 1, 2021
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this issue Jul 12, 2021
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet