Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: create security policy #16140

Merged
merged 1 commit into from Jun 5, 2019

Conversation

Projects
None yet
@narula
Copy link
Contributor

commented Jun 3, 2019

Github has started supporting SECURITY.md to contain a project's
security policy. Right now, the only place to find this project's
security contact is on bitcoincore.org. Adding this information to the
repository makes it easier to find as SECURITY.md becomes a standard.

This is copied almost exactly from https://bitcoincore.org/en/contact/
and based on conversations with EthanHeilman.

@fanquake fanquake added the Docs label Jun 3, 2019

@EthanHeilman

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

In the official github SECURITY.md template they have the a "versions supported" section and a ## Reporting a Vulnerability header. I don't see the versions table as necessary, but there might be some use to including the ## Reporting a Vulnerability header as it would keep the same pattern as the default template.

@naumenkogs

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

ACK.
I think this is a great idea, thank you.

@theuni

This comment has been minimized.

Copy link
Member

commented Jun 4, 2019

ACK.

Github's (sparse) documentation for SECURITY.md can be seen here: https://help.github.com/en/articles/adding-a-security-policy-to-your-repository

It's intended to provide a standard place for these policies. By merging this here, I suspect we'll see a trickle effect as our downstreams rebase and insert their own policies.

Also, it's worth mentioning that @narula pitched this idea to Github a few months ago (we were calling it DISCLOSURE.md then). Something might've been in the works already, but the nudge couldn't have hurt. Thanks!

@practicalswift

This comment has been minimized.

Copy link
Member

commented Jun 4, 2019

ACK c5fa63b

Welcome as a contributor @narula! :-)

@fanquake

This comment has been minimized.

Copy link
Member

commented Jun 4, 2019

utACK c5fa63b

So this will also populate this tab:

security policy

@jamesob

jamesob approved these changes Jun 4, 2019

Copy link
Member

left a comment

utACK c5fa63b

Compared GPG fingerprints to those on the bitcoincore.org.

@narula narula force-pushed the narula:security-policy branch 2 times, most recently from da97216 to c6d0588 Jun 4, 2019

@narula

This comment has been minimized.

Copy link
Contributor Author

commented Jun 4, 2019

Rebased and added ## Reporting a vulnerability line to address @EthanHeilman's point about making this consistent with default Github formatting.

@jonasschnelli

This comment has been minimized.

Copy link
Member

commented Jun 4, 2019

ACK c6d0588 (verified the keys)

@fanquake
Copy link
Member

left a comment

re-ACK c6d0588

security

@promag

This comment has been minimized.

Copy link
Member

commented Jun 4, 2019

utACK c6d0588.

@MarcoFalke

This comment has been minimized.

Copy link
Member

commented Jun 4, 2019

Concept ACK. I think we should also move the EOL policy from the website into the repo, but that might be also good for a follow up pull request.

From the template:

## Supported Versions

Use this section to tell people about which versions of your project are
currently being supported with security updates.

| Version | Supported          |
| ------- | ------------------ |
| 5.1.x   | :white_check_mark: |
| 5.0.x   | :x:                |
| 4.0.x   | :white_check_mark: |
| < 4.0   | :x:                |
@narula

This comment has been minimized.

Copy link
Contributor Author

commented Jun 4, 2019

@MarcoFalke I could add something like the following to comply with the suggested format. It's a bit annoying to have the same information in two places...

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.18    | :white_check_mark: |
| 0.17    | :white_check_mark: |
| 0.16    | :white_check_mark: |
| 0.15    | :white_check_mark: |
| < 0.15  | :x:                |
docs: create security policy
Github has started supporting SECURITY.md to contain a project's
security policy. Right now, the only place to find this project's
security contact is on bitcoincore.org. Adding this information to the
repository makes it easier to find as SECURITY.md becomes a standard.

This is copied almost exactly from https://bitcoincore.org/en/contact/
and based on conversations with Ethan Heilman.

@narula narula force-pushed the narula:security-policy branch from c6d0588 to fdd7fa1 Jun 5, 2019

@narula

This comment has been minimized.

Copy link
Contributor Author

commented Jun 5, 2019

Added Supported Versions. Pending re-ACKs on the GPG keys with the new commit hash, is this good to merge?

@laanwj

This comment has been minimized.

Copy link
Member

commented Jun 5, 2019

ACK fdd7fa1

@fanquake
Copy link
Member

left a comment

ACK fdd7fa1

@laanwj laanwj merged commit fdd7fa1 into bitcoin:master Jun 5, 2019

1 of 2 checks passed

continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

laanwj added a commit that referenced this pull request Jun 5, 2019

Merge #16140: docs: create security policy
fdd7fa1 docs: create security policy (Neha Narula)

Pull request description:

  Github has started supporting SECURITY.md to contain a project's
  security policy. Right now, the only place to find this project's
  security contact is on bitcoincore.org. Adding this information to the
  repository makes it easier to find as SECURITY.md becomes a standard.

  This is copied almost exactly from https://bitcoincore.org/en/contact/
  and based on conversations with EthanHeilman.

ACKs for commit fdd7fa:
  laanwj:
    ACK fdd7fa1

Tree-SHA512: 9d6b93d10fff6e9c7a5cb6d8c1f0660623cd7a015abac7738f2aa9d141075456e71612b830eb5c707275529e2099fb41a44c531e29d821c9d2857d22241a91c3
@sipa

This comment has been minimized.

Copy link
Member

commented Jun 5, 2019

How do we plan to maintain the accuracy of this file's contents in release branches?

@EthanHeilman

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2019

@sipa Can updating this file be folded into the release process?

@laanwj

This comment has been minimized.

Copy link
Member

commented Jun 5, 2019

I think this file is only important in master, because that's where github (as I understand) looks to display it. So maybe it'd make sense to remove it when branching.

(there's some other process related documents with the same problem, where the answer is basically always 'look at the version in master', like release-proces.md, developer-notes.md and maybe more)

@sipa

This comment has been minimized.

Copy link
Member

commented Jun 5, 2019

@laanwj That makes sense.

@jnewbery

This comment has been minimized.

Copy link
Member

commented Jun 6, 2019

ACK fdd7fa1

Verified the fingerprints match bitcoincore.org.

laanwj added a commit that referenced this pull request Jun 8, 2019

Merge #16164: doc: update release process for SECURITY.md
d7c0542 doc: update release process with SECURITY.md (Jon Atack)
e4e2b28 doc: clarify support in SECURITY.md (Jon Atack)

Pull request description:

  Follow-up to #16140:

  - Update the release process to maintain SECURITY.md; this looks like the sort of item that can otherwise be easily overlooked during a major release

  - Clarify type of support in SECURITY.md

  Question: If https://bitcoincore.org/en/lifecycle/#maintenance-period is still current policy, should v0.15 now be unmaintained and v0.16 EOL... seems the schedule on that page could use an update.

ACKs for commit d7c054:
  practicalswift:
    ACK d7c0542
  fanquake:
    ACK d7c0542. This seems to make sense.

Tree-SHA512: ce0f832d9804d7bfd29f2361948d7d6a4e93004a1f57e07a95dfba056caa4d8c4552267c66e6728b689b0309f4688c2d8d59d7b0c26b838c6a30df878a69fceb

sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Jun 9, 2019

Merge bitcoin#16164: doc: update release process for SECURITY.md
d7c0542 doc: update release process with SECURITY.md (Jon Atack)
e4e2b28 doc: clarify support in SECURITY.md (Jon Atack)

Pull request description:

  Follow-up to bitcoin#16140:

  - Update the release process to maintain SECURITY.md; this looks like the sort of item that can otherwise be easily overlooked during a major release

  - Clarify type of support in SECURITY.md

  Question: If https://bitcoincore.org/en/lifecycle/#maintenance-period is still current policy, should v0.15 now be unmaintained and v0.16 EOL... seems the schedule on that page could use an update.

ACKs for commit d7c054:
  practicalswift:
    ACK d7c0542
  fanquake:
    ACK bitcoin@d7c0542. This seems to make sense.

Tree-SHA512: ce0f832d9804d7bfd29f2361948d7d6a4e93004a1f57e07a95dfba056caa4d8c4552267c66e6728b689b0309f4688c2d8d59d7b0c26b838c6a30df878a69fceb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.