[PATCH] D100873: [docs] Describe reporting security issues on the chromium tracker.

Ahmed Bougacha via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon May 3 13:44:32 PDT 2021 

ab marked 2 inline comments as done.
ab added a comment.

Thanks for the comments!  Tweaks inline



================
Comment at: llvm/docs/Security.rst:165
+
+*FUTURE*: We would be interested in adopting the `Github security`_ workflow to align with the developer workflows the LLVM community is using.  We have started with the `chromium issue tracker`_ instead, because creating Github Security Advisories is currently restricted to Github project admins.  However, Github Security Advisories may be better suited to publicly disclosing resolved security issues.
+
----------------
kristof.beyls wrote:
> Is my understanding correct that github's security workflow work:
> * Does not easily enable reporting security issues? (That seems to be what https://opensource.stackexchange.com/questions/1958/report-a-security-issue-to-a-project-hosted-at-github confirms)
> * Does enable publicly disclosing resolved security issues and automatically notifying other projects on github that have a dependency?
> 
> If so, maybe this sentence of paragraph could be made a bit more clear, stating that currently github doesn't support easily reporting a security issue non-publicly, and therefore we're using an alternative that does enable that, i.e. the chromium issue tracker?
> The note about considering public disclosure using Github Security Advisories as a future improvement still makes sense to me.
> 
Yep, makes sense!  I tried rewriting the paragraph from that angle


================
Comment at: llvm/docs/Security.rst:168-172
+We are also currently using a private mailing list to discuss the internal logistics of the LLVM Security Group:
+
 * Nominate new members.
 * Propose member removal.
 * Suggest policy changes.
----------------
george.burgess.iv wrote:
> kristof.beyls wrote:
> > I think that the LLVM security group discuss a lot of this publicly, as patch proposals to this document, or on the monthly public sync-up call.
> > 
> > Maybe it'd be a slightly more accurate reflection of reality to tweak the wording to:
> > "The LLVM security gorup also uses a private mailing list to discuss *confidential aspects* of LLVM security group logistics"?
> +1. Would it also be worth it to briefly reference the public sync-up call with a link to more info? (I wasn't aware of it, at least :) )
> 
> ```
> In addition to our `monthly public sync-up call`_ and discussions on public LLVM mailing lists, we use a private mailing list to discuss [...]
> ```
Yep, both suggestions make sense to me:  I mentioned these, emphasized that most of it is public, and linked to the sync-up table.

Per email thread I will add the mailing-list URL, but as I was doing it here I realized it probably deserves prominence at the top of the page, so I need to rewrite one of the "reporting" paragraphs up there


CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D100873/new/

https://reviews.llvm.org/D100873

More information about the llvm-commits mailing list