[llvm] [DOCS] Remove bullet point on improving security over time. (PR #116980)
Peter Smith via llvm-commits
llvm-commits at lists.llvm.org
Wed Nov 20 06:39:19 PST 2024
https://github.com/smithp35 created https://github.com/llvm/llvm-project/pull/116980
Remove the 6th bullet point "Strive to improve security over time, for example by adding additional testing, fuzzing and hardening after fixing issues."
At the security group meeting on 2024-11-19 we discussed the role the security group was performing in practice. We are in effect acting as a security response group, dealing with issues raised via the process given in the LLVM Security group page. We are not proactively adding additional testing fuzzing and hardening. While this could be considered an aspirational goal, it may give the implication that the LLVM Security Group is handling or at worst guaranteeing security for the LLVM project when in practice it is not.
Meeting notes:
https://discourse.llvm.org/t/llvm-security-group-public-sync-ups/62735/32
>From af3fa924e366d41632db8fe6d8a39d1b46afc45f Mon Sep 17 00:00:00 2001
From: Peter Smith <peter.smith at arm.com>
Date: Wed, 20 Nov 2024 14:23:46 +0000
Subject: [PATCH] [DOCS] Remove bullet point on improving security over time.
Remove the 6th bullet point "Strive to improve security over time, for
example by adding additional testing, fuzzing and hardening after
fixing issues."
At the security group meeting on 2024-11-19 we discussed the role the
security group was performing in practice. We are in effect acting as
a security response group, dealing with issues raised via the process
given in the LLVM Security group page. We are not proactively adding
additional testing fuzzing and hardening. While this could be
considered an aspirational goal, it may give the implication that the
LLVM Security Group is handling or at worst guaranteeing security for
the LLVM project when in practice it is not.
Meeting notes:
https://discourse.llvm.org/t/llvm-security-group-public-sync-ups/62735/32
---
llvm/docs/Security.rst | 1 -
1 file changed, 1 deletion(-)
diff --git a/llvm/docs/Security.rst b/llvm/docs/Security.rst
index 67b6ebb4b04d94..2a920f3e5010f6 100644
--- a/llvm/docs/Security.rst
+++ b/llvm/docs/Security.rst
@@ -9,7 +9,6 @@ The LLVM Security Group has the following goals:
3. Allow distributors time to investigate and deploy fixes before wide dissemination of vulnerabilities or mitigation shortcomings.
4. Ensure timely notification and release to vendors who package and distribute LLVM-based toolchains and projects.
5. Ensure timely notification to users of LLVM-based toolchains whose compiled code is security-sensitive, through the `CVE process`_.
-6. Strive to improve security over time, for example by adding additional testing, fuzzing, and hardening after fixing issues.
*Note*: these goals ensure timely action, provide disclosure timing when issues are reported, and respect vendors' / packagers' / users' constraints.
More information about the llvm-commits
mailing list