[PATCH] D100873: [docs] Describe reporting security issues on the chromium tracker.

Kristof Beyls via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Apr 21 00:54:30 PDT 2021 

kristof.beyls added a comment.

Thanks for this Ahmed!
This mostly looks good to me, I just have a few nit-comments inline.



================
Comment at: llvm/docs/Security.rst:165
+
+*FUTURE*: We would be interested in adopting the `Github security`_ workflow to align with the developer workflows the LLVM community is using.  We have started with the `chromium issue tracker`_ instead, because creating Github Security Advisories is currently restricted to Github project admins.  However, Github Security Advisories may be better suited to publicly disclosing resolved security issues.
+
----------------
Is my understanding correct that github's security workflow work:
* Does not easily enable reporting security issues? (That seems to be what https://opensource.stackexchange.com/questions/1958/report-a-security-issue-to-a-project-hosted-at-github confirms)
* Does enable publicly disclosing resolved security issues and automatically notifying other projects on github that have a dependency?

If so, maybe this sentence of paragraph could be made a bit more clear, stating that currently github doesn't support easily reporting a security issue non-publicly, and therefore we're using an alternative that does enable that, i.e. the chromium issue tracker?
The note about considering public disclosure using Github Security Advisories as a future improvement still makes sense to me.



================
Comment at: llvm/docs/Security.rst:168-172
+We are also currently using a private mailing list to discuss the internal logistics of the LLVM Security Group:
+
 * Nominate new members.
 * Propose member removal.
 * Suggest policy changes.
----------------
I think that the LLVM security group discuss a lot of this publicly, as patch proposals to this document, or on the monthly public sync-up call.

Maybe it'd be a slightly more accurate reflection of reality to tweak the wording to:
"The LLVM security gorup also uses a private mailing list to discuss *confidential aspects* of LLVM security group logistics"?


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D100873/new/

https://reviews.llvm.org/D100873

More information about the llvm-commits mailing list