On Fri, Sep 27, 2019 at 9:21 AM Maxime Coquelin <[email protected]> wrote: > On 9/21/19 4:52 PM, [email protected] wrote: > > From: Luca Boccassi <[email protected]> > > > > The OSS-security project functions as a single point of contact for > > pre-release, embargoed security notifications. Distributions and major > > vendors are subscribed to this private list, so that they can be warned > > in advance and schedule the work required to fix the vulnerability. > > > > List and link this process in the DPDK security process document. > > > > Signed-off-by: Luca Boccassi <[email protected]> > > --- > > v1: As discussed at Userspace, we should include oss-security in the > > advanced > > private notice. This change has a brief explanation and a link to the > > process. > > v2: --signoff missing in v1, lost somewhere between brain and keyboard > > > > doc/guides/contributing/vulnerability.rst | 13 +++++++++++-- > > 1 file changed, 11 insertions(+), 2 deletions(-) > > Thanks Luca, it's much appreciated. > Other than the typo reported below, it looks good to me: > > Reviewed-by: Maxime Coquelin <[email protected]> > > Maxime > > > > > > diff --git a/doc/guides/contributing/vulnerability.rst > > b/doc/guides/contributing/vulnerability.rst > > index a4bef48576..78f65fe81b 100644 > > --- a/doc/guides/contributing/vulnerability.rst > > +++ b/doc/guides/contributing/vulnerability.rst > > @@ -194,6 +194,14 @@ Downstream stakeholders (in `security-prerelease list > > * Major DPDK users, considered trustworthy by the technical board, who > > have made the request to `[email protected] > > <mailto:[email protected]>`_ > > > > +The `OSS security private mailing list mailto:[email protected]>` > > will > > +also be contacted one week before the end of the embargo, as indicated by > > `the > > +OSS-security process > > <https://oss-security.openwall.org/wiki/mailing-lists/distros>` > > +and using the PGP key listed on the same page, describind the details of > > the > > s/describind/describing/
Fixed while applying. > > > +vulnerability and sharing the patch[es]. Distributions and major vendors > > follow > > +this private mailing list, and it functions as a single point of contact > > for > > +embargoed advance notices for open source projects. > > + > > The security advisory will be based on below template, > > and will be sent signed with a security team's member GPG key. > > > > @@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that > > system administrators > > do not have to deal with security updates over the weekend. > > > > The security advisory is posted > > -to `[email protected] <mailto:[email protected]>`_ > > -as soon as the patches are pushed to the appropriate branches. > > +to `[email protected] <mailto:[email protected]>`_ and to `the public > > OSS-security > > +mailing list <mailto:[email protected]>` as soon as the > > patches > > +are pushed to the appropriate branches. > > > > Patches are then sent to `[email protected] <mailto:[email protected]>`_ > > and `[email protected] <mailto:[email protected]>`_ accordingly. > > Applied, thanks. -- David Marchand
