-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security #62
Comments
👍 to doing what Docker does, and to your suggestions. I can setup |
See ipfs/community#62 License: MIT Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
I PR'd both ipfs/ipfs/README and ipfs/go-ipfs/README. I think ipfs/go-ipfs/CONTRIBUTE should be fine without it, as we point to it in the readme and in the contribution guidelines, actually. Please set up security@ipfs.io ASAP, or before merging! 👍 |
already setup :) 👍 |
See ipfs/community#62 License: MIT Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
Updated both with suggested comment about wording, should be good to merge. |
See ipfs/community#62 License: MIT Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
See ipfs/community#62 License: MIT Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
See ipfs/community#62 License: MIT Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
See ipfs/community#62 License: MIT Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
See ipfs/community#62 License: MIT Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
What
We should be more prominent about how we deal with security issues. Currently, there is a security section in the CONTRIBUTING.md file in this repo. It is the first section, and all IPFS repositories ought to point to this file, anyway - however, they currently do so by linking through their own contribute files, which adds friction for anyone who might have a security concern to follow.
I'm not sure that this is good enough. We could add a Security.md file, and link to it. I suggested this to some people early today, but after an extensive search, I couldn't find any one else who really does this on GitHub, which means that it is unlikely people will be looking for it. As well, I think that security concerns can really be summed up in only one paragraph, and are unlikely to change. I think a better solution is to do what Docker does. Immediately under the description of Docker in their main Readme.md they have a Security Disclosure section, outlining that no issues should be opened which might compromise current versions.
Suggested Next steps
I may be wrong about the security section changing. If so, we can link to a Security.md in this repo. Here is the current section, in it's entirety:
The text was updated successfully, but these errors were encountered: