Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security #62

Closed
RichardLitt opened this issue Oct 28, 2015 · 4 comments
Closed

Security #62

RichardLitt opened this issue Oct 28, 2015 · 4 comments

Comments

@RichardLitt
Copy link
Member

What

We should be more prominent about how we deal with security issues. Currently, there is a security section in the CONTRIBUTING.md file in this repo. It is the first section, and all IPFS repositories ought to point to this file, anyway - however, they currently do so by linking through their own contribute files, which adds friction for anyone who might have a security concern to follow.

I'm not sure that this is good enough. We could add a Security.md file, and link to it. I suggested this to some people early today, but after an extensive search, I couldn't find any one else who really does this on GitHub, which means that it is unlikely people will be looking for it. As well, I think that security concerns can really be summed up in only one paragraph, and are unlikely to change. I think a better solution is to do what Docker does. Immediately under the description of Docker in their main Readme.md they have a Security Disclosure section, outlining that no issues should be opened which might compromise current versions.

Suggested Next steps

  • Add a security section to ipfs/go-ipfs/CONTRIBUTING.md.
  • Add a security section to ipfs/ipfs/README.md.
  • Add a security section to ipfs/go-ipfs/README.md.

I may be wrong about the security section changing. If so, we can link to a Security.md in this repo. Here is the current section, in it's entirety:

Security Issues

The IPFS protocol and its implementations are still in heavy development. This means that there may be problems in our protocols, or there may be mistakes in our implementations. And -- though IPFS is not production-ready yet -- many people are already running nodes in their machines. So we take security vulnerabilities very seriously. If you discover a security issue, please bring it to our attention right away!

If you find a vulnerability that may affect live deployments -- for example, expose a remote execution exploit -- please send your report privately to juan@ipfs.io, please DO NOT file a public issue.

If the issue is a protocol weakness or something not yet deployed, just discuss it openly.
@jbenet
Copy link
Member

jbenet commented Nov 2, 2015

👍 to doing what Docker does, and to your suggestions.

I can setup security@ipfs.io too-- let's use that.

RichardLitt added a commit to ipfs/kubo that referenced this issue Nov 2, 2015
@RichardLitt
Added a security section
807c5f8 
See ipfs/community#62

License: MIT
Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
@RichardLitt RichardLitt mentioned this issue Nov 2, 2015
Merged
RichardLitt added a commit to RichardLitt/ipfs that referenced this issue Nov 2, 2015
@RichardLitt
Added a security section
b9ca039 
See ipfs/community#62
@RichardLitt
Copy link
Member Author

I PR'd both ipfs/ipfs/README and ipfs/go-ipfs/README. I think ipfs/go-ipfs/CONTRIBUTE should be fine without it, as we point to it in the readme and in the contribution guidelines, actually.

Please set up security@ipfs.io ASAP, or before merging! 👍

@RichardLitt RichardLitt mentioned this issue Nov 2, 2015
Merged
@jbenet
Copy link
Member

jbenet commented Nov 2, 2015

already setup :) 👍

RichardLitt added a commit to RichardLitt/ipfs that referenced this issue Nov 2, 2015
@RichardLitt
Added a security section
0f0c3b3 
See ipfs/community#62
RichardLitt added a commit to ipfs/kubo that referenced this issue Nov 2, 2015
@RichardLitt
Added a security section
cdcf457 
See ipfs/community#62

License: MIT
Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
@RichardLitt
Copy link
Member Author

Updated both with suggested comment about wording, should be good to merge.

rht pushed a commit to rht/go-ipfs that referenced this issue Nov 20, 2015
@RichardLitt @rht
Added a security section
a904594 
See ipfs/community#62

License: MIT
Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
RichardLitt added a commit to ipfs/kubo that referenced this issue Dec 17, 2015
@RichardLitt @rht
Added a security section
600304f 
See ipfs/community#62

License: MIT
Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
RichardLitt added a commit to ipfs/kubo that referenced this issue Dec 17, 2015
@RichardLitt @rht
Added a security section
8f96b4e 
See ipfs/community#62

License: MIT
Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
RichardLitt added a commit to ipfs/kubo that referenced this issue Dec 17, 2015
@RichardLitt @rht
Added a security section
e716f43 
See ipfs/community#62

License: MIT
Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
RichardLitt added a commit to ipfs/kubo that referenced this issue Dec 17, 2015
@RichardLitt @rht
Added a security section
2414589 
See ipfs/community#62

License: MIT
Signed-off-by: Richard Littauer <richard.littauer@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbenet @RichardLitt