Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update SECURITY.md with anza links and names #27

Merged
merged 3 commits into from
May 7, 2024

Conversation

willhickey
Copy link

Problem

Summary of Changes

SECURITY.md Outdated
Once the fix is accepted, a member of the solana-labs/security-incident-response group should prepare a single patch file for each affected branch. The commit title for the patch should only contain the advisory id, and not disclose any further details about the incident.
Copy the patches to https://release.solana.com/ under a subdirectory named after the advisory id (example: https://release.solana.com/GHSA-hx59-f5g4-jghh/v1.4.patch). Contact a member of the solana-labs/admins group if you require access to release.solana.com
Once the fix is accepted, a member of the anza-xyz/security-incident-response group should prepare a single patch file for each affected branch. The commit title for the patch should only contain the advisory id, and not disclose any further details about the incident.
Copy the patches to https://release.solana.com/ under a subdirectory named after the advisory id (example: https://release.solana.com/GHSA-hx59-f5g4-jghh/v1.4.patch). Contact a member of the anza-xyz/admins group if you require access to release.solana.com
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have some concerns here:

  1. I think we shouldn't give the write permission of release bucket to any others. maybe we can have another bucket for it 🤔
  2. if we think that's fine, we will need to update it to https://release.anza.xyz. (the line 74 need to be updated as well)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah good call.

@t-nelson Have we been following this guidance on releasing patch files? I've never done it.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we really only use these instructions for loss of funds. afaik we've never actually hosted a patch file. we just attach it directly to a message in the chat

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ripped out that whole section. It was overly prescriptive and not representative of how we've been doing things. The new language better reflects the judgement calls we make when shipping patches.

@willhickey willhickey force-pushed the whickey/security_policy branch from 88eb104 to 4c0a228 Compare April 1, 2024 19:49
@willhickey willhickey requested a review from yihau April 1, 2024 20:02
yihau
yihau previously approved these changes Apr 2, 2024
Copy link
Member

@yihau yihau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! just need to check it we have the email alias for [email protected] 📫

@willhickey
Copy link
Author

LGTM! just need to check it we have the email alias for [email protected] 📫

Switched it to [email protected] (there's a Slack conversation in #comms-internal)

@willhickey willhickey requested a review from yihau April 3, 2024 19:35
Copy link
Member

@yihau yihau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry for missing this one. am I correct that we won't have an email for [email protected]? (fwiw, we have set up an email for [email protected])

@yihau yihau merged commit bf1b765 into master May 7, 2024
9 checks passed
@yihau yihau deleted the whickey/security_policy branch May 7, 2024 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants