[PATCH] D100873: [docs] Describe reporting security issues on the chromium tracker.
Kristof Beyls via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Wed Apr 21 00:54:30 PDT 2021
kristof.beyls added a comment.
Thanks for this Ahmed!
This mostly looks good to me, I just have a few nit-comments inline.
================
Comment at: llvm/docs/Security.rst:165
+
+*FUTURE*: We would be interested in adopting the `Github security`_ workflow to align with the developer workflows the LLVM community is using. We have started with the `chromium issue tracker`_ instead, because creating Github Security Advisories is currently restricted to Github project admins. However, Github Security Advisories may be better suited to publicly disclosing resolved security issues.
+
----------------
Is my understanding correct that github's security workflow work:
* Does not easily enable reporting security issues? (That seems to be what https://opensource.stackexchange.com/questions/1958/report-a-security-issue-to-a-project-hosted-at-github confirms)
* Does enable publicly disclosing resolved security issues and automatically notifying other projects on github that have a dependency?
If so, maybe this sentence of paragraph could be made a bit more clear, stating that currently github doesn't support easily reporting a security issue non-publicly, and therefore we're using an alternative that does enable that, i.e. the chromium issue tracker?
The note about considering public disclosure using Github Security Advisories as a future improvement still makes sense to me.
================
Comment at: llvm/docs/Security.rst:168-172
+We are also currently using a private mailing list to discuss the internal logistics of the LLVM Security Group:
+
* Nominate new members.
* Propose member removal.
* Suggest policy changes.
----------------
I think that the LLVM security group discuss a lot of this publicly, as patch proposals to this document, or on the monthly public sync-up call.
Maybe it'd be a slightly more accurate reflection of reality to tweak the wording to:
"The LLVM security gorup also uses a private mailing list to discuss *confidential aspects* of LLVM security group logistics"?
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D100873/new/
https://reviews.llvm.org/D100873
More information about the llvm-commits
mailing list