From 6d8cf864765d97955d398604155a7076acab092f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 30 Aug 2019 09:03:41 +0200 Subject: [PATCH 1/2] docs: new systemd-security mailing list In the past, we asked people to open a security bug on one of the "big" distros. This worked OK as far as getting bugs reported and notifying some upstream developers went. But we always had trouble getting information to all the appropriate parties, because each time a bug was reported, a big thread was created, with a growing CC list. People who were not CCed early enough were missing some information, etc. To clean this up, we decided to create a private mailing list. The natural place would be freedesktop.org, but unfortunately the request to create a mailing list wasn't handled (https://gitlab.freedesktop.org/freedesktop/freedesktop/issues/134). And even if it was, at this point, if there was ever another administrative issue, it seems likely it could take months to resolve. So instead, we asked for a list to be created on the redhat mailservers. Please consider the previous security issue reporting mechanisms rescinded, and send any senstive bugs to systemd-security@redhat.com. --- NEWS | 4 ++++ docs/CONTRIBUTING.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 5a2f6df9e5..b444e2418a 100644 --- a/NEWS +++ b/NEWS @@ -432,6 +432,10 @@ CHANGES WITH 243 in spe: * IOWeight= has learnt to properly set the IO weight when using the BFQ scheduler officially found in kernels 5.0+. + * A new mailing list has been created for reporting of security issues: + systemd-security@redhat.com. For mode details, see + https://systemd.io/CONTRIBUTING#security-vulnerability-reports. + Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey, Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index f40d9a010a..0107474217 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -23,7 +23,7 @@ For older versions that are still supported by your distribution please use resp ## Security vulnerability reports -If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue in one of the "big" distributions using systemd: [Fedora](https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=systemd) (be sure to check "Security Sensitive Bug" under "Show Advanced Fields"), [Ubuntu](https://launchpad.net/ubuntu/+source/systemd/+filebug) (be sure to change "This bug contains information that is" from "Public" to "Private Security"), or [Debian](mailto:security@debian.org). Various systemd developers are active distribution maintainers and will propagate the information about the bug to other parties. +If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue to the [systemd-security@redhat.com](mailto:systemd-security@redhat.com) mailing list. The disclosure will be coordinated with distributions. ## Posting Pull Requests From 153d5975751aab58c3c4cdfdbe13ea7187c16e28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 30 Aug 2019 11:45:42 +0200 Subject: [PATCH 2/2] docs: create new SECURITY.md page github has special support for that name: https://help.github.com/en/articles/adding-a-security-policy-to-your-repository. --- docs/CONTRIBUTING.md | 4 ++-- docs/SECURITY.md | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 docs/SECURITY.md diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 0107474217..565acdd1cb 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ We welcome contributions from everyone. However, please follow the following gui ## Filing Issues -* We use GitHub Issues **exclusively** for tracking **bugs** and **feature** **requests** of systemd. If you are looking for help, please contact our [mailing list](https://lists.freedesktop.org/mailman/listinfo/systemd-devel) instead. +* We use [GitHub Issues](https://github.com/systemd/systemd/issues) **exclusively** for tracking **bugs** and **feature** **requests** of systemd. If you are looking for help, please contact [systemd-devel mailing list](https://lists.freedesktop.org/mailman/listinfo/systemd-devel) instead. * We only track bugs in the **two** **most** **recently** **released** **versions** of systemd in the GitHub Issue tracker. If you are using an older version of systemd, please contact your distribution's bug tracker instead. * When filing an issue, specify the **systemd** **version** you are experiencing the issue with. Also, indicate which **distribution** you are using. * Please include an explanation how to reproduce the issue you are pointing out. @@ -23,7 +23,7 @@ For older versions that are still supported by your distribution please use resp ## Security vulnerability reports -If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue to the [systemd-security@redhat.com](mailto:systemd-security@redhat.com) mailing list. The disclosure will be coordinated with distributions. +See [reporting of security vulnerabilities](SECURITY.md). ## Posting Pull Requests diff --git a/docs/SECURITY.md b/docs/SECURITY.md new file mode 100644 index 0000000000..93847dcd8e --- /dev/null +++ b/docs/SECURITY.md @@ -0,0 +1,7 @@ +--- +title: Reporting of security vulnerabilities +--- + +# Reporting of security vulnerabilities + +If you discover a security vulnerability, we'd appreciate a non-public disclosure. The [issue tracker](https://github.com/systemd/systemd/issues) and [systemd-devel mailing list](https://lists.freedesktop.org/mailman/listinfo/systemd-devel) are fully public. If you need to reach systemd developers in a non-public way, report the issue to the [systemd-security@redhat.com](mailto:systemd-security@redhat.com) mailing list. The disclosure will be coordinated with distributions.