Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create an initial Security.md document. #1617

Merged
merged 2 commits into from
Sep 29, 2021
Merged

Create an initial Security.md document. #1617

merged 2 commits into from
Sep 29, 2021

Conversation

crankyoldgit
Copy link
Owner

Respond to request in #1616

@crankyoldgit crankyoldgit requested a review from NiKiZe September 24, 2021 22:37
@crankyoldgit crankyoldgit self-assigned this Sep 24, 2021
@crankyoldgit crankyoldgit mentioned this pull request Sep 24, 2021
Closed
JamieSlome
JamieSlome approved these changes Sep 25, 2021
View reviewed changes
Copy link

@JamieSlome JamieSlome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🍰

@NiKiZe
Copy link
Collaborator

NiKiZe commented Sep 25, 2021

For small projects I think it is much better to not mention any specific user contact.
My logic is, Check https://github.com/crankyoldgit/IRremoteESP8266/graphs/contributors and then check if the major commiter is the same as the repo owner github.com/crankyoldgit/IRremoteESP8266 if so use their emailaddress used in most commits.

Is the noreply email addresses really usable? get bounces when testing.
Another aproach if it needs to stay secret, is for the reporters to create a private repo, invite us to it, create an issue and mention us. - There should be better ways to "getting in touch with maintainers" for github rather than having a separate file - which might I see is likely to be forgotten and unmaintained. (and out of date in old releases, can specific files be excluded from releases?)

@crankyoldgit
Copy link
Owner Author

For small projects I think it is much better to not mention any specific user contact.
My logic is, Check https://github.com/crankyoldgit/IRremoteESP8266/graphs/contributors and then check if the major commiter is the same as the repo owner github.com/crankyoldgit/IRremoteESP8266 if so use their emailaddress used in most commits.

I understand where you're coming from, and I agree to a point. I think we should make it easier than that for a report.

Is the noreply email addresses really usable? get bounces when testing.

Ditto. Seems the documentation (https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository & https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-email-preferences/setting-your-commit-email-address) is wrong or I read it wrong.

Another aproach if it needs to stay secret, is for the reporters to create a private repo, invite us to it, create an issue and mention us. - There should be better ways to "getting in touch with maintainers" for github rather than having a separate file - which might I see is likely to be forgotten and unmaintained. (and out of date in old releases, can specific files be excluded from releases?)

Fair point(s). Though requiring someone to create a private repo seems excessive (Are private repos free now?, they used to be a paid feature)

Perhaps we should create a link in the document to get the current correct details from the master branch etc or gh-pages branch/site.

I'll look into some better way of doing contacting that auto-tracks etc.

@crankyoldgit
Update SECURITY.md
1a141ea 
Leave only my email address, and change the email to something direct that actually works.
Also ask them to create an issue as well (without the sensitive details) so other people can be notified and it's a backup communication method.
@crankyoldgit
Copy link
Owner Author

@NiKiZe I've updated the doc, please re-read etc.
Gist of the update is it drops the github email addresses, adds my personal one, and asks them to also create an issue without the sensitive details, as a backup comms method. i.e. In case I'm away/incapacitated etc etc.

It's not optimal, but it will do for now.

NiKiZe
NiKiZe approved these changes Sep 29, 2021
View reviewed changes
Copy link
Collaborator

@NiKiZe NiKiZe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still have my doubts about this but ok.
I would like this file to not be included in releases before merging, is that doable?

@crankyoldgit
Copy link
Owner Author

Sounds reasonable to me. Lets remove it after we have the issue dealt with, and add this as a TODO for later.

@crankyoldgit
Copy link
Owner Author

I still have my doubts about this but ok. I would like this file to not be included in releases before merging, is that doable?

Oh, I think you mean in some automated process before each release. I'll see if there is some way to exclude a file from a release in GitHub

@crankyoldgit
Copy link
Owner Author

crankyoldgit commented Sep 29, 2021
edited
Loading

I still have my doubts about this but ok. I would like this file to not be included in releases before merging, is that doable?

Oh, I think you mean in some automated process before each release. I'll see if there is some way to exclude a file from a release in GitHub

A quick google shows it can be automatically excluded from the "ZIP" file, but not from the "release" tag, as the tag is pretty much just a pointer to a view of the entire repo tree as of a given "commit". Thus we can't hide/exclude it as such.

I think we need to go to a pointer/URL approach, and point to a page that has the info. e.g. We could point to a "security-contacts" branch, that is outside of the release branch/tag, and have that file/page have the current info.

@crankyoldgit crankyoldgit merged commit 3128c64 into master Sep 29, 2021
@crankyoldgit crankyoldgit mentioned this pull request Sep 29, 2021
Closed
@NiKiZe
Copy link
Collaborator

NiKiZe commented Sep 29, 2021

Exclude from zip (doable with gitattributes) was my thinking, having it in the zip is what I want to avoid, tag etc is git so that is not as big issue.

@crankyoldgit crankyoldgit deleted the securitymd branch September 29, 2021 22:12
crankyoldgit added a commit that referenced this pull request Sep 30, 2021
@crankyoldgit
Exclude SECURITY.md from zip archives
02d26d0 
Per #1617 (comment)

For #1618
@crankyoldgit crankyoldgit mentioned this pull request Sep 30, 2021
Merged
crankyoldgit added a commit that referenced this pull request Oct 2, 2021
@crankyoldgit
Exclude SECURITY.md from zip archives (#1621)
9d25486 
Per #1617 (comment)

For #1618
crankyoldgit added a commit that referenced this pull request Nov 15, 2021
@crankyoldgit
Moved specifics of Security Policy to github.io page.
7affa8f 
Original `SECURITY.md` has been moved to the `gh-pages` branch so it shows up only on the web, not in the git branch itself.

Per #1618 & #1617 it was moved because only release packages may contain old details, and this way there is only one canonical location/copy etc.

Fixes #1617
Fixes #1618
@crankyoldgit crankyoldgit mentioned this pull request Nov 15, 2021
Merged
crankyoldgit added a commit that referenced this pull request Nov 15, 2021
@crankyoldgit
Moved specifics of Security Policy to github.io page. (#1680)
931e2dd 
Original `SECURITY.md` has been moved to the `gh-pages` branch so it shows up only on the web, not in the git branch itself.

Per #1618 & #1617 it was moved because only release packages may contain old details, and this way there is only one canonical location/copy etc.

Fixes #1617
Fixes #1618
crankyoldgit added a commit that referenced this pull request Nov 19, 2021
@crankyoldgit
v2.8.0 release
d31c432 
_v2.8.0 (20211119)_

**[Bug Fixes]**
- Fix compilation issue when using old 8266 Arduino Frameworks. (#1639 #1640)
- Fix potential security issue with `scrape_supported_devices.py` (#1616 #1619)

**[Features]**
- SAMSUNG_AC
  - Change `clean` setting to a toggle. (#1676 #1677)
  - Highest fan speed is available without Powerful setting. (#1675 #1678)
  - Change `beep` setting to a toggle. (#1669 #1671)
  - Fix Beep for AR12TXEAAWKNEU (#1668 #1669)
  - Add support for Horizontal Swing & Econo (#1277 #1667)
  - Add support for On, Off, & Sleep Timers (#1277 #1662)
  - Fix power control. Clean-up code & bitmaps from Checksum changes. (#1277 #1648 #1650)
- HAIER_AC176/HAIER_AC_YRW02
  - Add support A/B unit setting (#1672)
  - Add support degree Fahrenheit (#1659)
  - Add support `Lock` function (#1652)
  - Implement horizontal swing feature (#1641)
  - Implement Quiet setting. (#1634 #1635)
- Basic support for Airton Protocol (#1670 #1681)
- HAIER_AC176: Add Turbo and Quiet settings (#1634)
- Gree: Add `SwingH` & `Econo` control. (#1587 #1653)
- MIRAGE
  - Add experimental detailed support. (#1573 #1615)
  - Experimental detailed support for KKG29A-C1 remote. (#1573 #1660)
- ELECTRA_AC: Add support for "IFeel" & Sensor settings. (#1644 #1645)
- Add Russian translation (#1649)
- Add Swedish translation (#1627)
- Reduce flash space used. (#1633)
- Strings finally in Flash! (#1493 #1614 #1623)
- Add support for Rhoss Idrowall MPCV 20-30-35-40 A/C protocol (#1630)
- Make `IRAc::opmodeToString()` output nicer for humans. (#1613)
- TCL112AC/TEKNOPOINT: Add support for `GZ055BE1` model (#1486 #1602)
- Support for Arris protocol. (#1598)
- SharpAc: Allow position control of SwingV (#1590 #1594)

**[Misc]**
- HAIER_AC176/HAIER_AC_YRW02
  - Replace some magic numbers with constants (#1679)
  - Small fix `Quiet` and `Turbo` test (#1674)
  - Fix `IRHaierAC176::getTemp()` return value description (#1663)
- Security Policy creation and changes. (#1616 #1617 #1618 #1621 #1680)
- IRrecvDumpV2/3: Update PlatformIO envs for missing languages (#1661)
- IRMQTTServer
  - Use the correct string for Fan mode in Home Assistant. (#1610 #1657)
  - Move a lot of the strings/text to flash. (#1638)
- Minor code style improvements. (#1656)
- Update Supported Devices
  - HAIER_AC176 (#1673)
  - LG A/C (#1651 #1655)
  - Symphony (#1603 #1605)
  - Epson (#1574 #1601)
  - GREE (#1587 #1588)
  - SharpAc (#1590 #1591)
- Add extra tests for LG2 protocol (#1654)
- Fix parameter expansion in several macros.
- Move some strings to `IRtext.cpp` & `locale/default.h` (#1637)
- RHOSS: Move include and defines to their correct places (#1636)
- Make makefile only build required files when running `run-%` target (#1632)
- Update Portuguese translation (#1628)
- Add possibility to run specific test case (#1625)
- Change `googletest` library ignore (#1626)
- Re-work "Fan Only" strings & matching. (#1610)
- Address `C0209` pylint warnings. (#1608)
@crankyoldgit crankyoldgit mentioned this pull request Nov 19, 2021
Merged
crankyoldgit added a commit that referenced this pull request Nov 19, 2021
@crankyoldgit
v2.8.0 release (#1682)
7b13d24 
## _v2.8.0 (20211119)_

**[Bug Fixes]**
- Fix compilation issue when using old 8266 Arduino Frameworks. (#1639 #1640)
- Fix potential security issue with `scrape_supported_devices.py` (#1616 #1619)

**[Features]**
- SAMSUNG_AC
  - Change `clean` setting to a toggle. (#1676 #1677)
  - Highest fan speed is available without Powerful setting. (#1675 #1678)
  - Change `beep` setting to a toggle. (#1669 #1671)
  - Fix Beep for AR12TXEAAWKNEU (#1668 #1669)
  - Add support for Horizontal Swing & Econo (#1277 #1667)
  - Add support for On, Off, & Sleep Timers (#1277 #1662)
  - Fix power control. Clean-up code & bitmaps from Checksum changes. (#1277 #1648 #1650)
- HAIER_AC176/HAIER_AC_YRW02
  - Add support A/B unit setting (#1672)
  - Add support degree Fahrenheit (#1659)
  - Add support `Lock` function (#1652)
  - Implement horizontal swing feature (#1641)
  - Implement Quiet setting. (#1634 #1635)
- Basic support for Airton Protocol (#1670 #1681)
- HAIER_AC176: Add Turbo and Quiet settings (#1634)
- Gree: Add `SwingH` & `Econo` control. (#1587 #1653)
- MIRAGE
  - Add experimental detailed support. (#1573 #1615)
  - Experimental detailed support for KKG29A-C1 remote. (#1573 #1660)
- ELECTRA_AC: Add support for "IFeel" & Sensor settings. (#1644 #1645)
- Add Russian translation (#1649)
- Add Swedish translation (#1627)
- Reduce flash space used. (#1633)
- Strings finally in Flash! (#1493 #1614 #1623)
- Add support for Rhoss Idrowall MPCV 20-30-35-40 A/C protocol (#1630)
- Make `IRAc::opmodeToString()` output nicer for humans. (#1613)
- TCL112AC/TEKNOPOINT: Add support for `GZ055BE1` model (#1486 #1602)
- Support for Arris protocol. (#1598)
- SharpAc: Allow position control of SwingV (#1590 #1594)

**[Misc]**
- HAIER_AC176/HAIER_AC_YRW02
  - Replace some magic numbers with constants (#1679)
  - Small fix `Quiet` and `Turbo` test (#1674)
  - Fix `IRHaierAC176::getTemp()` return value description (#1663)
- Security Policy creation and changes. (#1616 #1617 #1618 #1621 #1680)
- IRrecvDumpV2/3: Update PlatformIO envs for missing languages (#1661)
- IRMQTTServer
  - Use the correct string for Fan mode in Home Assistant. (#1610 #1657)
  - Move a lot of the strings/text to flash. (#1638)
- Minor code style improvements. (#1656)
- Update Supported Devices
  - HAIER_AC176 (#1673)
  - LG A/C (#1651 #1655)
  - Symphony (#1603 #1605)
  - Epson (#1574 #1601)
  - GREE (#1587 #1588)
  - SharpAc (#1590 #1591)
- Add extra tests for LG2 protocol (#1654)
- Fix parameter expansion in several macros.
- Move some strings to `IRtext.cpp` & `locale/default.h` (#1637)
- RHOSS: Move include and defines to their correct places (#1636)
- Make makefile only build required files when running `run-%` target (#1632)
- Update Portuguese translation (#1628)
- Add possibility to run specific test case (#1625)
- Change `googletest` library ignore (#1626)
- Re-work "Fan Only" strings & matching. (#1610)
- Address `C0209` pylint warnings. (#1608)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamieSlome JamieSlome JamieSlome approved these changes

@NiKiZe NiKiZe NiKiZe approved these changes

Assignees

@crankyoldgit crankyoldgit

Labels
Documentation Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@crankyoldgit @NiKiZe @JamieSlome