-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Contrib: Add process for security responses. #12487
Conversation
r? @weihanglo (rustbot has picked a reviewer for you, use r? to override) |
cc @rust-lang/security, would love if you have any feedback. My brain turned to mush while writing this, so I imagine there are things missing or confusing. |
Thanks for writing this up! From my limited perspective, it looked good to go |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this. I love the write-up!
I am a bit worried about it getting out of sync with the actual procedure of security WG.Should this be documented in security WG's readme or elsewhere? Do they have any public docs for this purpose? I would be better if we doc only the part relevant to cargo, and link to their own doc.
Their public docs are linked at the beginning of this doc (https://github.com/rust-lang/wg-security-response/blob/main/docs/handling-reports.md). Theirs is oriented towards WG members, and this was oriented specifically for cargo team members. I agree there is risk that this information becomes stale. There are some unique properties of the cargo project that make this a bit complicated (for example, our branching and release process, version bumping, etc.). I tried to write this as much as "There is a rough outline of what the WG does. This fills in all the in-between bits that are specific to cargo." |
@bors try
|
@bors try |
Contrib: Add process for security responses. This adds some documentation to give some guidance and checklists for how a security issue is handled.
💥 Test timed out |
@bors retry Going to merge this as Manishearth already approved |
Contrib: Add process for security responses. This adds some documentation to give some guidance and checklists for how a security issue is handled.
@bors r+ |
☀️ Test successful - checks-actions |
Update cargo 13 commits in 2cc50bc0b63ad20da193e002ba11d391af0104b7..925280f028db3a322935e040719a0754703947cf 2023-08-22 22:43:08 +0000 to 2023-08-25 21:16:44 +0000 - string leek is stable (rust-lang/cargo#12559) - refactor: Pull out cargo-add MSRV code for reuse (rust-lang/cargo#12553) - Contrib: Add process for security responses. (rust-lang/cargo#12487) - Support dependencies from registries for artifact dependencies, take 2 (rust-lang/cargo#12421) - fix(toml): Improve parse errors (rust-lang/cargo#12556) - Create dedicated unstable flag for asymmetric-token (rust-lang/cargo#12551) - chore(deps): update latest msrv to v1.72.0 (rust-lang/cargo#12549) - changelog: add link to CVE-2023-40030 (rust-lang/cargo#12550) - refactor(install): Move value parsing to clap (rust-lang/cargo#12547) - fix: Set MSRV for internal packages (rust-lang/cargo#12381) - doc: fix two links to tracing docs (rust-lang/cargo#12537) - use AND search when having multiple terms (rust-lang/cargo#12548) - fix(log): Use a more compact relative-time format (rust-lang/cargo#12542) r? ghost
This adds some documentation to give some guidance and checklists for how a security issue is handled.