I've created https://github.com/OSGeo/gdal/pull/4152 with a SECURITY.md
that largely uses Kurt's proposal.
Even
Le 28/07/2021 à 19:37, Even Rouault a écrit :
PSC,
We just got https://github.com/OSGeo/gdal/issues/4146 from someone
trying to get in touch with a security issue. How do we want to deal
with that ? Personally dealing with all the secrecy about security
issues is not super appealing and my natural inclination would be to
deal with them as any other issue.
An alternative, used by Mapserver, would be to setup a dedicated
private github repository, where we would invite only users (but they
are likely able to see all issues, not just theirs). Or perhaps just
make a repository accessible to PSC / trusted developers, interact
with the reporter through email (who wants to be in the email loop?)
and paste there the report and updates, but that becomes cumbersome.
Another point, assuming we have a private issue tracker, is, assuming
the issue is confirmed and we have a fix for it, how do we deal with
it ? My inclination would be to just commit the fix (the issue would
become more or less public once a candidate pull request is issued)
and not issue a dedicated release, but use our regular bugfix releases.
Thoughts ?
Even
--
http://www.spatialys.com
My software is free, but my time generally not.
_______________________________________________
gdal-dev mailing list
gdal-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/gdal-dev