digitalmars.D - Security point of contact
- Cym13 (9/9) Jun 09 2018 Yop.
- Seb (9/18) Jun 09 2018 Sönke, Martin und myself.
- Cym13 (25/45) Jun 09 2018 Having the address will be a very good start, thank you.
- Vladimir Panteleev (4/9) Jun 09 2018 Less specifically, it depends on the component / property. There
Yop. I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly. Who should I contact? I'd very very much like to have something like a security dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.
Jun 09 2018
On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:Yop. I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly. Who should I contact?Sönke, Martin und myself. https://github.com/s-ludwig (look in the DUB git log for his email address) https://github.com/MartinNowak https://github.com/wilzbachI'd very very much like to have something like a security dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.I will try to get this email address setup. At least we already have an official GPG keyring: https://dlang.org/gpg_keys.html
Jun 09 2018
On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:Thank you, the mail should be in your box already.Yop. I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly. Who should I contact?Sönke, Martin und myself. https://github.com/s-ludwig (look in the DUB git log for his email address) https://github.com/MartinNowak https://github.com/wilzbachHaving the address will be a very good start, thank you. For comparison the PHP project has two things that I enjoyed when disclosing bugs: 1. Security guidelines (https://wiki.php.net/security) that clearly state what they consider a vulnerability and what isn't. I find it very well designed and it could be an inspiration for a D security guideline even though we're not having too many vulnerabilities disclosed right now as far as I know. 2. They configured their bugzilla so that when the category "security" is used the bug is made private and only the proper team is put in copy. I don't know how easy it is so an email address seems more practical right now I think. Note that this is in complement to security php.net which they use mostly for security related talk but not bug reports. Anyway, I'm not sure we need all this right now, but I'd rather start the discussion early.I'd very very much like to have something like a security dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.I will try to get this email address setup. At least we already have an official GPG keyring: https://dlang.org/gpg_keys.html
Jun 09 2018
On Saturday, 9 June 2018 at 23:19:34 UTC, Cym13 wrote:Thank you, the mail should be in your box already.Well, apparently gmail considered it spam, so it shouldn't be in your box. But I'm sure Sönke or Martin will be able to transfer it.
Jun 09 2018
On Saturday, 9 June 2018 at 23:19:34 UTC, Cym13 wrote:On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:Sorry - I never got a mail :/ Which address did you use? In doubt, this is my official one: https://seb.wilzba.ch/contact/On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:Thank you, the mail should be in your box already.Yop. I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly. Who should I contact?Sönke, Martin und myself. https://github.com/s-ludwig (look in the DUB git log for his email address) https://github.com/MartinNowak https://github.com/wilzbach
Jun 10 2018
On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:Who should I contact? I'd very very much like to have something like a security dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.Less specifically, it depends on the component / property. There is the https://wiki.dlang.org/People page, which has a list of points of contact.
Jun 09 2018
On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev wrote:On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:This is the thing exactly, first of all the idea that the main developer of the part of the project impacted should be the one receiving the report is sound but far from obvious. In many countries there is a (stupid) legal risk associated with vulnerability disclosure, so as a researcher you'd rather be sure that you're talking to the right person. Furthermore the list doesn't provide any direct way to contact any of those people, which isn't surprising but adds friction. In the best case the email is visible on their github account, in the worst you need to look at commits and hope the email is still valid and the one the person expects to be contact with. The alternatives are 1) opening a public issue on issues.dlang.org, which I did many times where I judged that it was acceptable given the issue but I'm never at ease doing it, or 2) asking as I just did. I can say with certainty that the current process is a deterrent. In the past I decided not to discuss some issues because of it (hopefully not to important otherwise I'd have pressed the matter and remember what it was about, but judging importance isn't easy). Security is the thing nobody wants to have to think about, but it's important nonetheless, so I think it's worth improving the process on that point. After all, all issues found and disclosed by external people are issues you don't have to find yourself ;)Who should I contact? I'd very very much like to have something like a security dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.Less specifically, it depends on the component / property. There is the https://wiki.dlang.org/People page, which has a list of points of contact.
Jun 09 2018
On Sunday, 10 June 2018 at 00:59:11 UTC, Cym13 wrote:On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev wrote:Another step at setting such a security point of contact up: https://github.com/dlang/dlang.org/pull/2398 Input is welcome.[...]This is the thing exactly, first of all the idea that the main developer of the part of the project impacted should be the one receiving the report is sound but far from obvious. In many countries there is a (stupid) legal risk associated with vulnerability disclosure, so as a researcher you'd rather be sure that you're talking to the right person. [...]
Jun 28 2018