-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update SECURITY.md with anza links and names #27
Conversation
3f7deb3
to
3082fbe
Compare
3082fbe
to
b41580c
Compare
SECURITY.md
Outdated
Once the fix is accepted, a member of the solana-labs/security-incident-response group should prepare a single patch file for each affected branch. The commit title for the patch should only contain the advisory id, and not disclose any further details about the incident. | ||
Copy the patches to https://release.solana.com/ under a subdirectory named after the advisory id (example: https://release.solana.com/GHSA-hx59-f5g4-jghh/v1.4.patch). Contact a member of the solana-labs/admins group if you require access to release.solana.com | ||
Once the fix is accepted, a member of the anza-xyz/security-incident-response group should prepare a single patch file for each affected branch. The commit title for the patch should only contain the advisory id, and not disclose any further details about the incident. | ||
Copy the patches to https://release.solana.com/ under a subdirectory named after the advisory id (example: https://release.solana.com/GHSA-hx59-f5g4-jghh/v1.4.patch). Contact a member of the anza-xyz/admins group if you require access to release.solana.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
have some concerns here:
- I think we shouldn't give the write permission of release bucket to any others. maybe we can have another bucket for it 🤔
- if we think that's fine, we will need to update it to https://release.anza.xyz. (the line 74 need to be updated as well)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah good call.
@t-nelson Have we been following this guidance on releasing patch files? I've never done it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we really only use these instructions for loss of funds. afaik we've never actually hosted a patch file. we just attach it directly to a message in the chat
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ripped out that whole section. It was overly prescriptive and not representative of how we've been doing things. The new language better reflects the judgement calls we make when shipping patches.
88eb104
to
4c0a228
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! just need to check it we have the email alias for [email protected] 📫
Switched it to [email protected] (there's a Slack conversation in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry for missing this one. am I correct that we won't have an email for [email protected]? (fwiw, we have set up an email for [email protected])
Problem
Summary of Changes