Start using github security advisories

Patrick Williams patrick at stwcx.xyz
Fri Oct 29 00:43:08 AEDT 2021 

On Thu, Oct 28, 2021 at 08:31:37AM -0500, Joseph Reynolds wrote:
> On 10/27/21 2:42 PM, Brad Bishop wrote:
> > On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote:
> >> On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote:
> >>> Brad or Andrew, Can we proceed with the creation of security
> >>> repository so that we can run a couple of trials on security issues?
> >> Hi James, thanks for the ping.
> >>
> >> The only reason I haven't already done this was this comment from
> >> Bruce:
> >>
> >>>> I believe we want to make sure that none of security advisories
> >>>> get sent to Discord, wouldn't want to accidentally be going to
> >>>> something like #gh-issues.
> >> This was a good point and I'm not sure what to do about it.
> > Hi James
> >
> > I created the security-reponse github group and the security-response
> > repo just now and made it private.  Please do some testing and make sure
> > issues don't find their way into #gh-issues on Discord.
> >
> > thx - brad
> 
> Thanks Brad!
> 
> The plan is to write the first issues from real-live but low-severity  
> problems which are also common knowledge within the openBMC community.  
> Meaning: there will be minimal harm if the problem is disclosed.
> 
> - Joseph

I want to reiterate three things:

    1. In Github, security advisories are different from issues.  Security
       advisories are suppose to be able to be collaborated on in private
       without the repository itself being private.  Only when you are ready to
       reveal the security advisory can you switch it to be public.

    2. We have two webhooks for Discord now: one for issues and one for code
       changes.  Security advisories are not currently covered.  If you make an
       issue in a public repository anyone can see it, even if it isn't covered
       by a Discord webhook, so "limiting the awareness by avoiding the Discord
       webhook" isn't really what you want anyhow.  You need to make sure the
       information you want to be kept private is private (and again security
       advisories are suppose to be the way to do that).

    3. Having a private repository means you cannot report any security
       advisories (or issues) in a public way.  Today if someone goes to
       https://github.com/openbmc/security-response they get a 404 (unless they
       have explicit access to the private repository).

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20211028/cd37d7ed/attachment.sig>

More information about the openbmc mailing list